b'                Review of Management of the Department\xe2\x80\x99s \n\n                 Certification and Accreditation Contract\n\n\n\n\n                                 FINAL AUDIT REPORT\n\n\n\n\n\n                                            ED-OIG/S19-E0015\n                                              December 2004\n\n\n\n\nOur mission is to promote the efficiency,                      U.S. Department of Education\neffectiveness, and integrity of the                            Office of Inspector General\nDepartment\xe2\x80\x99s programs and operations.                          Operations Internal Audit Team\n                                                               Washington, DC\n\x0cStatements that managerial practices need improvements, as well as other conclusions and\nrecommendations in this report, represent the opinions of the Office of Inspector General.\n     Determinations of corrective action to be taken will be made by the appropriate\n                           Department of Education officials.\n\n\nIn accordance with the Freedom of Information Act (5 U.S.C. \xc2\xa7 552), reports issued by the\nOffice of Inspector General are available to members of the press and general public to the\n        extent information contained therein is not subject to exemptions in the Act.\n\x0c                          UNITED STATES DEPARTMENT OF EDUCATION\n\n                                          OFFICE OF INSPECTOR GENERAL\n\n\n\n\n                                             December 17, 2004\nMEMORANDUM\n\nTO:             Edward R. McPherson\n                Under Secretary for Education\n\nFROM:           Thomas A. Carter /s/\n                Deputy Inspector General\n                Office of Inspector General\n\nSUBJECT:        Final Audit Report\n                Management of the Department\xe2\x80\x99s Certification and Accreditation Contract\n                Control Number ED-OIG/S19-E0015\n\nAttached is the subject final audit report that covers the results of our review of the management of the\nDepartment\xe2\x80\x99s Certification and Accreditation contract during the period June 2003 through December\n2003. An electronic copy has also been provided to the Chief Financial Officer, the Assistant Secretary\nfor Management and Chief Information Officer, and their Audit Liaison Officers. We received comments\nto our draft report from the Office of the Chief Financial Officer (OCFO) and the Office of the Chief\nInformation Officer (OCIO) generally non-concurring with the findings, but generally concurring with the\nrecommendations. No changes were made to the report as a result of the Department\xe2\x80\x99s comments. We\nare issuing this report to you since it contains cross-cutting issues in both OCFO and OCIO.\n\nCorrective actions proposed (resolution phase) and implemented (closure phase) by your offices will be\nmonitored and tracked through the Department\xe2\x80\x99s Audit Accountability and Resolution Tracking System.\nDepartment policy requires that you develop a final corrective action plan (CAP) for our review in the\nautomated system within 30 days of the issuance of this report. The CAP should set forth the specific\naction items, and targeted completion dates, necessary to implement final corrective actions on the\nfindings and recommendations included in this final audit report.\n\nIn accordance with the Inspector General Act of 1978, as amended, the Office of Inspector General is\nrequired to report to Congress twice a year on the audits that remain unresolved six months after the date\nof issuance.\n\nIn accordance with the Freedom of Information Act (5 U.S.C. \xc2\xa7552), reports issued by the Office of\nInspector General are available to members of the press and general public to the extent information\ncontained therein is not subject to exemptions in the Act.\n\nWe appreciate the cooperation given us during the review. If you have any questions, please call Michele\nWeaver-Dugan at (202) 245-6941.\n\ncc: \t   Jack Martin, Chief Financial Officer\n        William Leidinger, Assistant Secretary for Management and Chief Information Officer\n\n\n\n                         400 MARYLAND AVE., S.W. WASHINGTON, D.C. 20202-1510\n\n          Our mission is to ensure equal access to education and to promote educational excellence\n\x0c                                  TABLE OF CONTENTS\n\n\n\n\n                                                                                                        Page\n\n\nEXECUTIVE SUMMARY................................................................................1\n\n\nBACKGROUND...............................................................................................4\n\n\nAUDIT RESULTS ............................................................................................6\n\n\n        Finding No. 1 \xe2\x80\x93Department Staff Did Not Effectively Manage the\n\n              Certification and Accreditation (C&A) Contract..............................6\n\n\n                Recommendations ........................................................................ 15\n\n\n        Finding No. 2 \xe2\x80\x93The Performance Work Statement Did Not Require\n\n              Sufficient Documentation to Support C&A Recommendations \n\n              and Decisions ............................................................................... 16 \n\n\n                Recommendations ........................................................................ 18\n\n\nOTHER MATTERS ........................................................................................ 20\n\n\nOBJECTIVE, SCOPE, AND METHODOLOGY.............................................. 21\n\n\nSTATEMENT ON INTERNAL CONTROL .................................................... 23\n\n\nATTACHMENTS\n\n        Attachment 1 \xe2\x80\x93 Tier 4 Systems\n        Attachment 2 \xe2\x80\x93 Detailed Results by Deliverable\n        Attachment 3 \xe2\x80\x93 Office of Inspector General Comments to Department Response\n        Attachment 4 \xe2\x80\x93 Department Response to Draft Report\n\x0c                                EXECUTIVE SUMMARY\n\n\n\nThe National Institute of Standards and Technology states, \xe2\x80\x9cSecurity certification and\naccreditation are important activities that support a risk management process and are an integral\npart of an agency\xe2\x80\x99s information security program.\xe2\x80\x9d The Department of Education (Department)\nestablished a contract to acquire technical support for its certification and accreditation (C&A)\nprogram. The C&A contract included three primary requirements that its information systems\nwould be subjected to \xe2\x80\x93 a documentation review, security test and evaluation (ST&E), and, for\nselect systems, vulnerability scanning and penetration testing.\n\nThe objective of our audit was to determine the effectiveness of the Department\xe2\x80\x99s management\nof the C&A contract. Our audit was limited to the review of deliverables related to the\ndocumentation review and vulnerability scanning/penetration testing requirements of the contract\nfor the initial 10 Tier 4 systems subjected to the C&A process. (See Attachment 1 for further\ninformation on Tier 4 systems and the 10 systems included in our review.) The Office of\nInspector General (OIG) reviewed the ST&E requirements under a separate project and issued\nthe results of that review separately. 1\n\nOverall, we found that Department staff did not effectively manage the C&A contract and that\nimprovements were needed in the Department\xe2\x80\x99s contract management process. Department staff\ndid not adequately track and inspect deliverables, gave unauthorized instructions to the\ncontractor to reduce the scope of work to be performed, did not inform the Contracting Officer\n(CO) of changes in key personnel, and did not document evaluations of contractor-submitted\nreports. As a result, the Department paid for deliverables that were not provided or that did not\nmeet acceptance criteria, and improperly authorized incentive payments to the contractor. A\nsubsequent modification to the contract was issued, in part to correct the work that was not\nadequately performed, resulting in the Department paying twice for the same required services.\nWe also found the Performance Work Statement (PWS) for the C&A contract did not require\nsufficient documentation to support C&A recommendations and decisions. The C&A services\ninitially received did not provide managers with complete, supportable information upon which\nto base their certification decisions.\n\nTo correct the weaknesses we identified, we recommended that the Department:\n\n\xe2\x80\xa2\t Ensure that the staff member assigned as the Contracting Officer\xe2\x80\x99s Representative (COR) is\n   provided sufficient resources to fulfill his/her responsibility for overall contract monitoring,\n   and that other involved staff provide the COR with appropriate input as needed. Specifically,\n   a contract monitoring plan should be developed to ensure that all aspects of the contract are\n   appropriately monitored and Department policies are followed.\n\n1\n Audit Control Number, A11-E0002, \xe2\x80\x9cDepartment of Education\xe2\x80\x99s Implementation of [Federal Information Security\nManagement Act] FISMA, Fiscal Year 2004,\xe2\x80\x9d dated October 6, 2004.\n\nED-OIG/S19-E0015\t                                                                          Page 1\n\x0c\xe2\x80\xa2\t Ensure the CO, COR, and other staff and contractors involved in contract management, meet\n   to review the contract monitoring plan and agree upon the methodology for monitoring the\n   remainder of this contract. Ensure all parties understand their responsibilities for contract\n   monitoring.\n\xe2\x80\xa2\t Require the contractor to formally request substitution of key personnel already removed\n   from the contract, and for any future substitutions, including submitting resumes for\n   evaluation by the Department to ensure the level of expertise is comparable to the original\n   key personnel.\n\xe2\x80\xa2\t Ensure the CO provides any subsequent CORs with memoranda to outline responsibilities\n   and limitations as required by the Department Directive, and provides notice to the contractor\n   of any change in CORs.\n\xe2\x80\xa2\t Obtain an Office of General Counsel (OGC) opinion regarding possible remedies to recover\n   funds from the contractor for improper incentive payments, unacceptable deliverables, and\n   reductions to the scope of work made without the authorization of the CO. If indicated by\n   the opinion, pursue recovery of funds from the contractor.\n\xe2\x80\xa2\t Review the current PWS and ensure that sufficient documentation is required to support\n   C&A recommendations and decisions.\n\xe2\x80\xa2\t Ensure that all future PWS for C&A contracts include requirements for documentation\n   supporting scans, tests, and analyses conducted, and decisions made on the risks and\n   mitigating factors considered, in support of the contractor\xe2\x80\x99s C&A recommendations.\n\nThe Department initially provided a response to our draft report on October 4, 2004. The\nDepartment retracted that response on October 7, 2004. An amended response was provided on\nOctober 12, 2004. The Department retracted that response on October 14, 2004. The final\nresponse was provided on October 18, 2004, and that is the document we refer to as the\n\xe2\x80\x9cDepartment\xe2\x80\x99s response.\xe2\x80\x9d Some information in the Department\xe2\x80\x99s response conflicted with\ninformation provided to us by Department officials during our review.\n\nIn its response, the Department stated,\n\n       . . .[W]hile acknowledging that contract related processes early in the C&A\n       contract period could have been performed to more closely adhere to the\n       Department\xe2\x80\x99s contract procedures and policies, the Department does not conc ur in\n       whole, with the findings of the draft audit. The Department believes that the\n       C&A contractor\xe2\x80\x99s performance met the objectives of the contract in support of the\n       C&A program.\n\nThe Department did not concur in whole with the findings, but it did conc ur with six of the seven\nrecommendations made. The Department did not concur with the recommendation to obtain an\nOGC opinion regarding possible remedies to recover funds from the contractor.\n\nOIG\xe2\x80\x99s position has not changed on the issues reported in the findings, or on the\nrecommendations made. No changes were made to the report as a result of the Department\xe2\x80\x99s\nresponses.\n\n\n\nED-OIG/S19-E0015\t                                                                  Page 2\n\x0cIn Attachment 3, we have provided comments to the Department\xe2\x80\x99s response. The Department\xe2\x80\x99s\nresponse is included in its entirety as Attachment 4 to this report.\n\nThroughout the review, OIG experienced delays in obtaining information from Department staff.\nOffice of the Chief Information Officer (OCIO) staff had difficulty locating deliverables, and/or\ndetermining what documents, if any, the contractor provided to satisfy deliverable requirements.\nOCIO files were not complete and did not include evidence of inspection and acceptance or\nrejection of deliverables. Some deliverables that the Department stated were provided could not\nbe located. OCIO staff reported that a number of verbal agreements were made with the\ncontractor regarding the scope of work, but no documentation existed to support any of these\nagreements.\n\nThe conflicting information and multiple responses to our draft report from the Department,\nalong with our difficulties in obtaining information, indicate a lack of familiarity with contract\nrequirements and with work actually accomplished. This supports our conclusion that the\nDepartment did not effectively manage the contract. It also lessens the Department\xe2\x80\x99s credibility\nwith regard to any statements provided by Department management and staff, especially in the\nabsence of supporting documentation. As a result, we were presented with a scope limitation in\nthat we were unable to determine whether the vulnerability scans performed as part of the C&A\neffort resulted in any findings that should have been reported to management. As such, we were\nnot able to conclude whether deliverables regarding vulnerability scanning and penetration\ntesting should have been provided by the contractor.\n\n\n\n\nED-OIG/S19-E0015                                                                    Page 3\n\x0c                                     BACKGROUND\n\n\n\nThe National Institute of Standards and Technology (NIST), Special Publication 800-37, \xe2\x80\x9cGuide\nfor the Security Certification and Accreditation of Federal Information Systems,\xe2\x80\x9d states:\n\n       Security certification and accreditation are important activities that support a risk\n       management process and are an integral part of an agency\xe2\x80\x99s information security\n       program. Security accreditation is the official management decision given by a\n       senior agency official to authorize operation of an information system and to\n       explicitly accept the risk to agency operations, agency assets, or individuals based\n       on the implementation of an agreed-upon set of security controls. Required by\n       OMB [O ffice of Management and Budget] Circular A-130, Appendix III, security\n       accreditation provides a form of quality control and challenges managers and\n       technical staffs at all levels to implement the most effective security controls\n       possible in an information system, given mission requirements, technical\n       constraints, operational constraints, and cost/schedule constraints. By accrediting\n       an information system, an agency official accepts responsibility for the security of\n       the system and is fully accountable for any adverse impacts to the agency if a\n       breach of security occurs. Thus, responsibility and accountability are core\n       principles that characterize security accreditation.\n\nThe Department of Education (Department) established a contract to acquire technical support\nfor its certification and accreditation (C&A) program. The Performance Work Statement (PWS)\nfor the contract included the following as responsibilities of the contractor:\n\n       \xe2\x80\xa2\t Reviewing and evaluating system security documentation to ensure it is complete and\n          complies with Department policies and guidelines,\n       \xe2\x80\xa2\t Conducting security test and evaluation (ST&E), and vulnerability and penetration\n          tests, if applicable,\n       \xe2\x80\xa2\t Documenting test findings,\n       \xe2\x80\xa2\t Providing system owner out briefs,\n       \xe2\x80\xa2\t Writing a summary report of certification activities performed and their results,\n       \xe2\x80\xa2\t Justifying the certification recommendation,\n       \xe2\x80\xa2\t Briefing the certifier on the review findings and the certification recommendation,\n          and\n       \xe2\x80\xa2\t Supporting recertification and revalidation.\n\nThe original contract, effective June 25, 2003, included requirements to complete C&A services\nfor 25 systems by December 31, 2003. Included in these systems were 10 Tier 4 systems \xe2\x80\x93 the\nhighest risk systems in the Department. (See Attachment 1 for further information on Tier 4\nsystems and the 10 systems included in our review.)\n\n\nED-OIG/S19-E0015\t                                                                    Page 4\n\x0cThe C&A contract included three primary requirements for the Tier 4 systems \xe2\x80\x93 documentation\nreview, ST&E, and vulnerability scanning and penetration testing. Our audit was limited to\nanalysis of contract management for the documentation review and vulnerability\nscanning/penetration testing requirements of the contract for the 10 original Tier 4 systems. The\nOffice of Inspector General (OIG) is reviewed the ST&E requirements under a separate project\nand issued the results of that review separately. 2\n\nThe Department originally awarded the contract for $1,026,311, including incentives, for 25\nsystems. This amount included $437,400 for 10 Tier 4 systems. The Department issued\nmodifications to the contract to exercise option years, add additional 35 systems to the C&A\nprocess, and for other related services, bringing the total contract amount to $2,842,367, as of\nJanuary 5, 2004.\n\nSubsequent to the start of our audit work, effective July 13, 2004, the Department issued\nModification 0005 to the C&A contract to recertify and accredit, or validate the existing\ncertification and accreditation, of 60 systems, including the original 10 Tier 4 systems that were\nthe subject of our review. Under this modification, the work to be performed for these Tier 4\nsystems was primarily for vulnerability scanning and penetration testing, and a final security\nassessment report. The total value of this modification for the original 10 Tier 4 systems was\n$253,692.3 The total contract amount through Modification 0005 was $3,172,486.\n\n\n\n\n2\n  Audit Control Number, A11-E0002, \xe2\x80\x9cDepartment of Education\xe2\x80\x99s Implementation of [Federal Information Security\nManagement Act] FISMA, Fiscal Year 2004,\xe2\x80\x9d dated October 6, 2004.\n3\n  The modification for the original 10 Tier 4 systems also included additional C&A services for 3 of the 10 systems\nthat the modification stated experienced significant changes since the last C&A review. For these three systems, the\nmodification also included deliverables for C&A documentation reviews, and ST&E execution and documentation.\n\nED-OIG/S19-E0015                                                                                  Page 5\n\x0c                                    AUDIT RESULTS\n\n\n\nWe found Department staff did not effectively manage the C&A contract. Department staff did\nnot adequately track and inspect deliverables, gave unauthorized instructions to the contractor to\nreduce the scope of work to be performed, did not inform the Contracting Officer (CO) of\nchanges in key personnel, and did not document evaluations of contractor-submitted reports. As\na result, the Department paid for deliverables that were not provided or that did not meet\nacceptance criteria, and improperly authorized incentive payments to the contractor. A\nsubsequent modification to the contract was issued, resulting in the Department paying twice for\nthe same services. We also found the PWS for the C&A contract did not require sufficient\ndocumentation to support C&A recommendations and decisions. The C&A services initially\nreceived did not provide managers with complete, supportable information upon which to base\ntheir certification decisions.\n\nIn its response, the Department stated,\n\n       . . .[W]hile acknowledging that contract related processes early in the C&A\n       contract period could have been performed to more closely adhere to the\n       Department\xe2\x80\x99s contract procedures and policies, the Departme nt does not concur in\n       whole, with the findings of the draft audit. The Department believes that the\n       C&A contractor\xe2\x80\x99s performance met the objectives of the contract in support of the\n       C&A program.\n\nThe Department did not concur in whole with the findings, but it did concur with six of the seven\nrecommendations made. OIG\xe2\x80\x99s position has not changed on the issues reported in the findings,\nor on the recommendations made. No changes were made to the report as a result of the\nDepartment\xe2\x80\x99s response. (See Attachment 3 for comments by OIG to the Department\xe2\x80\x99s response,\nand Attachment 4 for a copy of the Department\xe2\x80\x99s response.)\n\n\n\nFinding No. 1 \xe2\x80\x93        Department Staff Did Not Effectively Manage the C&A\n                       Contract\n\n\nDepartment staff did not effectively manage the contract for C&A services. Specifically, we\nfound that the Contracting Officer\xe2\x80\x99s Representative (COR), and other Office of the Chief\nInformation Officer (OCIO) staff and contractors involved in contract monitoring:\n\n   a.\t Did not adequately track and inspect deliverables to ensure that contract requirements\n       were met. We found that some deliverables were not provided, and others did not meet\n       acceptance criteria provided in the contract.\nED-OIG/S19-E0015\t                                                                   Page 6\n\x0c    b.\t Gave unauthorized instructions to the contractor to reduce the scope of work to be\n        performed.\n    c.\t Did not ensure that the CO was informed of changes in key personnel and that the\n        contractor submitted to the CO formal notice and requests for written approval of\n        substitution of key personnel.\n    d.\t Did not document evaluations of contractor-submitted reports or provide written \n\n        evaluations of the reports to the CO. \n\n\nFederal Acquisition Regulation (FAR) Part 37, \xe2\x80\x9cService Contracting,\xe2\x80\x9d \xc2\xa7 37.102(h), states,\n\xe2\x80\x9cAgencies shall ensure that sufficiently trained and experienced officials are available within the\nagency to manage and oversee the contract administration function.\xe2\x80\x9d FAR \xc2\xa7 37.114, \xe2\x80\x9cSpecial\nAcquisition Requirements,\xe2\x80\x9d states:\n\n        Contracts for services which require the contractor to provide advice, opinions,\n        recommendations, ideas, reports, analyses, or other work products have the\n        potential for influencing the authority, accountability, and responsibilities of\n        Government officials. These contracts require special management attention to\n        ensure that they do not result in performance of inherently governmental\n        functions by the contractor and that Government officials properly exercise their\n        authority. Agencies must ensure that\xc2\xad\n\n                 (a) A sufficient number of qualified Government employees are assigned\n                     to oversee contractor activities, especially those that involve support of\n                     Government policy or decision making. . ..\n\n                 (b) A greater scrutiny and an appropriate enhanced degree of management\n                     oversight is exercised when contracting for functions that are not\n                     inherently governmental but closely support the performance of\n                     inherently governmental functions. . ..\n\nThe Department\xe2\x80\x99s Administrative Communication System Directive (Directive), Office of the\nChief Financial Officer (OCFO):2-108, \xe2\x80\x9cContract Monitoring for Program Officials,\xe2\x80\x9d dated\nJanuary 12, 1987, 4 Section I, states that the purpose of the Directive is to provide internal\nstandards and guidelines for monitoring of contracts by program officials. Included in the\nDirective are specific guidelines for inspection and acceptance, documenting and maintaining\nmonitoring information, evaluating reports provided by the contractor, and ensuring the CO is\ninformed of important issues related to contractor performance, including changes in key\npersonnel.\n\nSection II of the Directive states:\n\n        It is the policy of the Department of Education (a) to monitor every contract to the\n        extent appropriate to provide reasonable assurance that the contractor performs\n\n\n4\n  The Department updated and reissued this Directive on April 15, 2004. The requirements presented above from\nthe former policy (in effect during the scope of our review) are also presented in the updated policy.\n\nED-OIG/S19-E0015\t                                                                              Page 7\n\x0c       the work called for in the contract, and (b) to develop a clear record of that\n       performance and the Department\xe2\x80\x99s efforts in monitoring it.\n\nSection VIII.A of the Directive states, \xe2\x80\x9cContract monitoring is conducted by the Government to\nensure that the contractor performs according to the specific promises and agreements that make\nup the contract.\xe2\x80\x9d\n\n\na.\t The COR, other OCIO staff, and the project management contractor, did not\n    adequately track and inspect deliverables to ensure that contract requirements were\n    met.\n\nWe found that some deliverables were not provided, and others did not meet the acceptance\ncriteria provided in the contract. Specifically, we found:\n\n   \xe2\x80\xa2\t Deliverables regarding rules of engagement for vulnerability scans/penetration testing,\n      evidence that vulnerability scans/penetration testing were conducted, and minutes for\n      system owner and certifier out briefs were not provided.\n   \xe2\x80\xa2\t Matrices of observations, vulnerability scans/penetration testing reports, system owner\n      out briefs, and certifier out briefs deliverables were not complete and did not meet\n      acceptance criteria.\n   \xe2\x80\xa2\t The contractor did not report on whether issues noted in the 2002 risk assessments had\n      been mitigated as required by the contract.\n   \xe2\x80\xa2\t Issues reported in the matrices of observations were not consistent with issues reported in\n      the system owner and certifier out briefs.\n\nSee Attachment 2 for details on results by deliverable.\n\nThe FAR states that the Government has the right to inspect and test all services. If any services\ndo not conform to contract requirements, the Government may require the contractor to perform\nthe services again at no increase to the contract amount (FAR \xc2\xa7 52.246-4(e)). The FAR also\nprescribes policies and procedures to ensure supplies and services conform to requirements.\nAcceptance is defined as acknowledgment that services/deliverables conform to applicable\ncontract quality and quantity requirements (FAR \xc2\xa7 46.501). Acceptance ordinarily is evidenced\nby execution of an acceptance certificate on an inspection or receiving report form (FAR \xc2\xa7\n46.501).\n\nDepartment policies require that for deliverables sent to the COR, the COR is generally\nresponsible for conducting the inspection and, depending on the contract, for making acceptance\nor for recommending to the CO whether acceptance should be made. The COR\xe2\x80\x99s decision to\naccept deliverables or to recommend their rejection must be furnished in writing to the CO using\na receiving report or receipt, (Directive OCFO 2-108, Sections XI.A.1 and XI.B.1). Receipts are\nprovided electronically through the Department\xe2\x80\x99s Contract and Purchasing Support System.\nDepartment policy also states that constructive acceptance occurs seven days after delivery of\nsupplies or services. For service contracts, Department policy requires that receipts be provided\nwhen invoices are received, (OCFO Procedures that Work, CO-008).\n\nED-OIG/S19-E0015\t                                                                       Page 8\n\x0cWe found that deliverables were not adequately tracked and inspected because:\n\n   \xe2\x80\xa2\t OCIO fragmented responsibility for contract management between the COR, other OCIO\n      staff, and a contractor hired for project management,\n   \xe2\x80\xa2\t Monitoring focused on schedules, not deliverables,\n   \xe2\x80\xa2\t The Department\xe2\x80\x99s receipts process for service contracts does not document acceptance of\n      deliverables.\n\n\nOCIO Fragmented Contract Management Responsibilities\n\nWe found that the COR, other OCIO staff, and the project management contractor, did not\nadequately track and inspect deliverables because the program office fragmented the\nresponsibility for monitoring contract performance. The COR responsible for the contract\nbetween September 2003 and April 2004 stated that she was not a technical expert in the area,\nand was not able to devote a great deal of time to this contract as she was also assigned other\ntasks. OCIO hired another contractor to perform project management for the C&A process.\nDepartment policy states that the COR is responsible for monitoring the programmatic or\ntechnical aspects of a contract and making recommendations to the CO for necessary contract\nadministration actions, including the inspection and acceptance of deliverables. These duties,\nhowever, were spread among other OCIO staff members and a project management contractor,\nmaking it difficult for the COR to manage several individuals that were performing parts of the\nCOR\xe2\x80\x99s duties. Other OCIO staff members and the project management contractor had also not\nreceived the Department\xe2\x80\x99s contract monitoring training and as such, may not have been familiar\nwith contract monitoring requirements.\n\n\nMonitoring Focused on Schedules, Not Deliverables\n\nThe project tracking by the COR, other OCIO staff, and the project management contractor\ncentered on monitoring schedules and did not include detailed inspection of deliverables for\ncompliance with the quantity and quality requirements of the contract. In fact, OCIO staff\nresponsible for monitoring the contract were not familiar with all deliverable requirements. For\nexample, we found the COR and other OCIO staff were not familiar with the requirement that\nminutes of the out briefs be recorded and distributed. OCIO staff were not familiar with which\nsystems received penetration testing. OCIO staff also did not realize that the out brief\ndeliverables did not consistently include information on vulnerability scans and penetration\ntesting. An OCIO staff member stated that the vulnerability scans and penetration tests were\ndiscussed verbally in the out briefs, however, since no minutes were provided, no documentation\nexists to support the discussions.\n\n\n\n\nED-OIG/S19-E0015\t                                                                 Page 9\n\x0cReceipts Process for Service Contracts Does Not Document Acceptance of Deliverables\n\nIn addition, because the Department\xe2\x80\x99s process for indicating receipt is based on invoices rather\nthan deliverables, no formal, written acceptance of individual deliverables was made. Progress\npayments were authorized under the contract based on a monthly allocation of total contract\ncosts. The COR stated that she matched the invoice amounts to the schedule. The COR stated\nthat she did not inspect deliverables, but provided them to other OCIO staff with technical\nexpertise. Receipts from the COR included general statements about progress on the contract,\nrather than any indication that deliverables received to date were inspected and accepted.\nThrough Modification 0005 to the contract, the Department aligned the receipts process with\ndeliverables for this contract. The modification states, \xe2\x80\x9cThe contractor shall invoice on a\nmonthly basis only for the deliverables received and accepted by the Department.\xe2\x80\x9d\n\nAs a result, the Department paid for deliverables that were not provided, or for deliverables that\ndid not meet contract acceptance criteria. Without complete information on the penetration risk\nlevel included in the out briefs, or a statement that there were no risks in this area, the certifying\nofficial did not have complete information upon which to base the certification decision.\nConstructive acceptance has already occurred since more than seven days have elapsed from\nreceipt of these deliverables. As such, the Department may have lost the opportunity to require\nthat the contractor correct the deficiencies noted without additional cost to the Government.\n\nIn addition, the contractor was improperly paid a total of $83,622 in performance incentives for\nwork during the initial contract period. Contract terms stated that the incentives would be paid\nonly if all deliverables meet the acceptance criteria and due dates specified. Since not all\ndeliverables were provided, and some deliverables were not complete and therefore did not meet\nacceptance criteria, the contractor should not have been paid any of the incentive amounts.\n\n\nb.\t OCIO staff gave unauthorized instructions to the contractor to reduce the scope work\n    to be performed.\n\nDuring performance, OCIO clarified contract requirements, and reduced the scope of work for\nvulnerability scans and penetration testing, without proper authority to do so. OCIO staff did not\nformalize these changes to the contractor in writing, nor was the CO informed of these changes.\n\nSpecifically we noted:\n\n   \xe2\x80\xa2\t OCIO staff clarified what would be considered a \xe2\x80\x9cfinding\xe2\x80\x9d for vulnerability scans.\n   \xe2\x80\xa2\t The contractor responsible for the operation of the Common Origination and\n      Disbursement (COD) system, and that contractor\xe2\x80\x99s auditors, performed the vulnerability\n      scans and penetration testing for that system, rather than the C&A contractor as required\n      by the contract.\n   \xe2\x80\xa2\t The contractor responsible for the operation of the Direct Loan Servicing System (DLSS)\n      performed the vulnerability scans for that system, rather than the C&A contractor as\n      required by the contract.\n\n\nED-OIG/S19-E0015\t                                                                      Page 10\n\x0c   \xe2\x80\xa2\t The contract called for penetration testing to be performed for all 10 Tier 4 systems.\n      However, agreement was reached between the Department and the C&A contractor that\n      penetration testing would not be performed if there was a chance that systems would be\n      disrupted. As a result, the C&A contractor did not perform penetration testing for any of\n      the 10 Tier 4 systems. (Only the COD system received penetration testing, as discussed\n      above.)\n   \xe2\x80\xa2\t OCIO staff and the contractor agreed that the Certification Recommendations Report\n      deliverables specified in the contract for each system were not required. OCIO staff\n      considered the certifier briefing to satisfy the requirements for this deliverable, even\n      though all required areas of the deliverable were not included in the certifier briefing.\n\nNeither OCIO staff nor the contractor could provide electronic mail messages or other\ndocumentation that discussed the specifics of these changes and the agreement of the parties to\nthe changes.\n\nThe CO is the only Department official authorized to make changes to the contract. The COR is\nnot authorized to modify or change the terms of the contract, such as obligated cost or price,\ndelivery, or scope of work. Department policy states that the CO relies on the COR for\ncollecting monitoring information and making related analyses and recommendations for\nadministrative action. This information and analysis must be fully documented and reported\npromptly to the CO so that the Government\xe2\x80\x99s interests can be protected, and so that the program\noffice will have the facts upon which to make informed decisions about the contract and the\nprogram in general, (Directive OCFO:2-108, Section IX.C.2).\n\nDepartment policy further states that the Government\xe2\x80\x99s record for a contract is maintained\nprimarily in two places: In the program office, and in the contracting office. The program office\nfile, maintained by the COR, should contain all information needed by the COR to carry out his\nor her contract monitoring and managing responsibilities. The file maintained by the CO is the\nGovernment\xe2\x80\x99s \xe2\x80\x9cofficial file\xe2\x80\x9d and must contain all information having even the slightest bearing\non the obligations of the two parties to the contract and their performance against those\nobligations, (Directive OCFO:2-108, Section IX.D.5).\n\nDepartment Directive OCFO:2-108, Section IX.N, states:\n\n       1.\t The purpose of detailed record-keeping is to build a complete history of each\n           project so that information is not lost or forgotten, and so that others \xe2\x80\x93 e.g.\n           one\xe2\x80\x99s supervisor, a new COR assigned to the project, and auditor, or perhaps a\n           court of law \xe2\x80\x93 can get a clear picture of what has occurred during the life of a\n           contract. (If a dispute occurs, it could be several years between the event and\n           its resolution. The COR and program office files could be called upon at a\n           very late date.)\n       2.\t As a general rule, the COR should document every significant action taken or\n           conversation held in the course of monitoring or administering a contract.\n\nThe COR and OCIO staff did not obtain CO approval for the clarifications and changes made in\nrequirements for the contractor\xe2\x80\x99s performance. As a result, the CO was not aware of the\n\nED-OIG/S19-E0015\t                                                                  Page 11\n\x0cchanges, and was not able to evaluate the impact of those changes on the scope of work in the\ncontract, including determining whether the contract price should be reduced. Fragmentation of\ncontract monitoring responsibilities, as previously discussed, may have contributed to the issues\nnoted. While all CORs assigned to the contract had completed certification training, other OCIO\nstaff heavily involved in contract management, and the project management contractor, may not\nhave been familiar with or did not follow Department policies and procedures on communication\nwith the CO and contract file documentation. The CO did not provide the first two CORs on the\nproject with letters delegating authority for contract monitoring responsibilities. As such, these\nCORs may not have fully understood their responsibilities and/or the extent and limitation of\ntheir authority. 5\n\nVerbal agreements on the definition of a finding for vulnerability scans, and reductions to the\nscope of work for vulnerability scans, penetration testing, and other deliverables, could later lead\nto disputes if one party\xe2\x80\x99s recall of the discussion or agreements differs from the others. The\nchanges related to vulnerability scans and penetration testing, and elimination of the certification\nrecommendation report, resulted in a decreased level of effort by the contractor and should have\nresulted in a modification and a decrease in the contract price to reflect the work originally\nrequired by the contract that was not performed.\n\nIn addition, the informal agreement regarding the extent of penetration testing for the Tier 4\nsystems resulted in less assurance for the Department that these high-risk systems were\nadequately protected against unauthorized access.\n\n\nc.\t The COR/OCIO staff did not ensure that the CO was informed of changes in key\n    personnel and that the contractor submitted to the CO formal notice and requests for\n    written approval of substitution of key personnel.\n\nDuring contract performance, two of the four key personnel designated in the contract \xe2\x80\x93 both of\nthe designated team leaders \xe2\x80\x93 were removed from the contract. One team leader was removed\nafter two months of contract performance because he failed to meet the requirements of the\nDepartment\xe2\x80\x99s security clearance process. The other team leader was promoted within the\ncontractor\xe2\x80\x99s organization and removed from the C&A project after six months of performance.\nThe contractor did not submit substitutions of key personnel for approval by the CO as required.\nSection H.1 of the C&A contract states that,\n\n        The personnel designated as key personnel are considered to be essential to the\n        work being performed hereunder. Prior to diverting any of the specified\n        individuals to other programs, or otherwise substituting any other personnel for\n        specified personnel, the contractor shall notify the Contracting Officer and the\n        COR reasonably in advance and shall submit justification (including proposed\n        substitutions) in sufficient detail to permit evaluation of the impact on the task\n\n5\n The initially assigned COR was responsible for contract monitoring from the start of the contract in June 2003,\nuntil his departure from the Department in September 2003. The second COR was responsible for contract\nmonitoring from September 2003, until her departure from the Department in April 2004. The current COR has\nbeen assigned to the contract since April 2004.\n\nED-OIG/S19-E0015\t                                                                                Page 12\n\x0c        order effort. No diversion or substitution shall be made without the written\n        consent of the contracting officer. . .The task order will be modified to reflect the\n        addition or deletion of key personnel.\n\nDirective OCFO:2-108, Appendix F, "Checklist of Questions to Consider When Monitoring,"\nincludes the following:\n\n   \xe2\x80\xa2\t   Are key personnel performing under the contract to the extent agreed to?\n   \xe2\x80\xa2\t   Has the contractor notified the Government of any changes to the key personnel?\n\nThis section further states, "If the answer to any of the preceding questions was "NO," has the\nED [Department] Contracting Officer been notified so that prompt corrective action may be\ntaken?"\n\nThe COR and other OCIO staff were aware that the key personnel had been removed from the\ncontract. However, the COR did not follow Department policies by ensuring that the contractor\ncomplied with contract terms and notified and provided information on substitute personnel to\nthe CO for evaluation.\n\nAs a result, the expertise and level of knowledge of the personnel substituted may not have\nequaled that of the designated key personnel upon which the contract award decision was at least\npartially based. The level of service provided might have been less than what was originally\npurchased. The purpose of the contract, as stated in the PWS, was to \xe2\x80\x9c. . .acquire expert\ntechnical support. . ..\xe2\x80\x9d Without evaluation of the personnel substituted for the experts originally\nhired, the Department does not have the same level of assurance in the quality of the services it\nreceived.\n\n\nd.\t The COR did not document evaluations of contractor-submitted reports or provide\n    written evaluations of the reports to the CO.\n\nThe contract included requirements for reports in addition to the deliverables for the C&A\nprocess. These reports included:\n\n    \xe2\x80\xa2\t Weekly status reports on the overall implementation and status of the entire process,\n    \xe2\x80\xa2\t Project plans for each system including personnel assigned, proposed schedule and cost\n       estimates, and\n    \xe2\x80\xa2\t Monthly earned value management reports for each system.\n\nWe found, however, there was no documentation to indicate whether the COR reviewed and\nmade written evaluations of these reports, or provided those evaluations to the CO.\n\nDepartment policy states that the COR must promptly read all progress reports submitted by the\ncontractor. Failure to read the reports negates their considerable value in keeping the\nGovernment up to date. The COR must make a written evaluation of each report. Depending on\nthe type of contract and relative importance of the report, the evaluation might be either rigorous\n\nED-OIG/S19-E0015\t                                                                    Page 13\n\x0cor reasonably informal. All evaluations of reports should be sent to the CO. The COR must\nensure that copies of reports and the evaluations made of them are entered in the program office\nfile, (Directive OCFO:2-108, Sections X.D.2.a and c, X.D.4.b and d).\n\nThe COR or other OCIO staff did not follow Department requirements to promptly read and\ndocument evaluations of reports submitted by the contractor. As previously mentioned, the COR\nstated that she had other responsibilities and was not able to devote a great deal of time to this\ncontract.\n\nAs a result, potential problem indicators included in the reports may not have been detected by\nthe COR. In addition, the CO was not provided evaluations to confirm that reports were being\nreceived as required by the contract, and to indicate any potential problems so that the CO could\npromptly take any required action to protect the Government\xe2\x80\x99s interests.\n\n\nSummary\n\nWithout an effective flow of information between the CO and COR, the CO cannot ensure the\nCOR is adequately performing the contract monitoring tasks they have been delegated, nor can\nthe CO ensure that contract progress is satisfactory.\n\nProgram staff who are unfamiliar with contract terms, deliverable requirements, or regulations,\npolicies and procedures to be followed in monitoring contracts, are unable to achieve the basic\npurpose of contract monitoring \xe2\x80\x93 to provide reasonable assurance that the contractor performs\nwork called for in the contract. Inadequate documentation of contract monitoring, contract\nchanges, and review and acceptance of deliverables, impairs the Department\xe2\x80\x99s ability to hold the\ncontractor accountable for performance. Failure to enforce contract terms may also cons titute a\nwaiver of the Department\xe2\x80\x99s rights to enforce contract terms, may support interpretations of\ncontract requirements contrary to the Government\xe2\x80\x99s best interest, and/or may subsequently\nweaken the Government\xe2\x80\x99s position to effectively defend itself in contract disputes.\n\nUnauthorized agreements to reduce the work to be performed and deliverables to be provided\nunder the contract reduced the assurance the Department could place in the C&A process and in\nthe security of its systems. Since the contract price was not modified to reflect the reduction in\neffort, the Department paid for work that was not performed.\n\nSubsequent to the start of our audit work, effective July 13, 2004, the Department issued\nModification 0005 to the C&A contract to recertify and accredit, or validate the existing\ncertification and accreditation, of 60 systems, including the original 10 Tier 4 systems that were\nthe subject of our review. For the original 10 Tier 4 systems, Modification 0005 included\nrequirements to repeat the vulnerability scans and penetration testing included in the original\ncontract for these systems. The modification also included a final security assessment report for\nthe original 10 Tier 4 systems. This report included essentially the same acceptance criteria as\nwere included for the certification recommendation report that OCIO staff determined was not\nneeded. In total, Modification 0005 included $243,692 for the 10 Tier 4 systems. Of this\namount, $122,472 was to repeat C&A analyses and documentation that should have been\n\nED-OIG/S19-E0015                                                                   Page 14\n\x0ccompleted under the initial contract for seven of the systems, and $131,220 was for C&A\nservices on three systems that the modification stated had experienced significant changes since\nthe original C&A review. As a result of the weaknesses in contract management, the\nDepartment will be paying for many of the C&A services twice.\n\n\nRecommendations:\n\nWe recommend that the Chief Financial Officer, in conjunction with the Assistant Secretary for\nManagement and Chief Information Officer, take action to:\n\n1.1\t Ensure that the staff member assigned as COR has the technical knowledge required and is\n     provided sufficient resources to fulfill his/her responsibility for overall contract monitoring,\n     and that other involved staff provide the COR with appropriate input as needed.\n     Specifically, a contract monitoring plan should be developed by which the COR ensures:\n\n           a.\t Deliverables are tracked, inspected in accordance with contract requirements, and\n               formally accepted or rejected;\n           b.\t The CO is involved in all discussions regarding changes to the scope of work,\n               and provides appropriate authorization for any such changes,\n           c.\t The CO is notified of changes in key personnel;\n           d.\t Evaluations of contractor reports are documented and provided to the CO; and\n           e.\t Contract file documentation includes all information needed to carry out his/her\n               monitoring and managing responsibilities in accordance with Department policy.\n\n1.2\t   Ensure the CO, COR, and other OCIO staff and contractors involved in contract\n       management, meet to review the contract monitoring plan, and agree upon the\n       methodology for monitoring the remainder of this contract. During the meeting, the CO\n       should review the requirements in the FAR, the Department\xe2\x80\x99s Directive for contract\n       monitoring, and the terms of the contract, including deliverable requirements, to ensure\n       that all parties understand their responsibilities for contract monitoring.\n\n1.3\t   Require the contractor to formally request substitution of key personnel already removed\n       from the contract, and for any future substitutions, including submitting resumes for\n       evaluation by the Department to ensure the level of expertise is comparable to the\n       original key personnel.\n\n1.4\t   Ensure the CO provides any subsequent CORs with memoranda to outline\n       responsibilities and limitations as required by the Department Directive, and provides\n       notice to the contractor of any change in CORs.\n\n1.5\t   Obtain an Office of General Counsel (OGC) opinion regarding possible remedies to\n       recover funds from the contractor for improper incentive payments, unacceptable\n       deliverables, and reductions to the scope of work made without the authorization of the\n       CO. If indicated by the opinion, pursue recovery of funds from the contractor.\n\n\nED-OIG/S19-E0015\t                                                                    Page 15\n\x0cDepartment Response\n\nThe Department did not concur in whole with the finding, and concurred with four of the five\nrecommendations for this finding. The Department did not concur with the last recommendation\nabove, and stated in its response,\n\n       The Department does not concur that incentive payments were made to the\n       contractor improperly, that deliverables were unacceptable, or that payment was\n       made for more than it should have for the work completed. The Contracting\n       Officer had already determined that an opinion is not required from Office of\n       General Counsel.\n\nOIG Comments\n\nOIG continues to recommend that OGC be consulted for an opinion on this matter. (See\nAttachment 3 for detailed comments to the Department\xe2\x80\x99s response.)\n\n\n\n\nFinding No. 2 \xe2\x80\x93\t The Performance Work Statement Did Not Explicitly\n                 Require Sufficient Documentation to Support C&A\n                 Recommendations and Decisions\n\n\nWe found that the PWS did not explicitly require the contractor to provide or maintain\nsupporting documentation of decisions made during the C&A process to support the contractor\xe2\x80\x99s\nC&A recommendations and therefore the Department\xe2\x80\x99s certification decisions. Deliverables\nsubmitted included briefing slides or summaries that did not provide information on the initial\nissues noted and resolved during the C&A process. The Department therefore received very\nlittle information to support the decisions and recommendations made by the contractor.\n\nIn addition, as discussed in Finding 1, OCIO and the contractor agreed to changes that reduced\nthe scope of work and deliverables required under the contract. These changes further reduced\nthe documentation provided to support decisions made in the C&A process.\n\nNIST Special Publication 800-37, Executive Summary, states:\n\n       It is essential that agency officials have the most complete, accurate, and\n       trustworthy information possible on the security status of their information\n       systems in order to make timely, credible, risk-based decisions on whether to\n       authorize operation of those systems. The information and supporting evidence\n       needed for security accreditation is developed during a detailed security review of\n       an information system, typically referred to as security certification. Security\n       certification is a comprehensive assessment of the management, operational, and\nED-OIG/S19-E0015\t                                                                 Page 16\n\x0c       technical security controls in an information system, made in support of security\n       accreditation, to determine the extent to which the controls are implemented\n       correctly, operating as intended, and producing the desired outcome with respect\n       to meeting the security requirements for the system. The results of a security\n       certification are used to reassess the risks and update the system security plan,\n       thus providing the factual basis for an authorizing official to render a security\n       accreditation decision.\n\nNIST 800-37, Section 1.1, states:\n\n       The purpose of this publication is to provide guidelines for the security\n       certification and accreditation of information systems supporting the executive\n       agencies of the federal government. The guidelines have been developed to help\n       achieve more secure information systems within the federal government by:\n\n               \xe2\x80\xa2 Enabling more consistent, comparable, and repeatable assessments of\n                 security controls in federal information systems;\n               \xe2\x80\xa2 Promoting a better understanding of agency-related mission risks\n                 resulting from the operation of information systems; and\n               \xe2\x80\xa2 Creating more complete, reliable, and trustworthy information for\n                 authorizing officials\xe2\x80\x94to facilitate more informed security accreditation\n                 decisions.\n\nNIST 800-37, Section 2.2, allows the delegation of certification and accreditation roles to\nqualified individuals, including contractors, with the exception of the roles of the Chief\nInformation Officer and authorizing official. The delegated roles can include the determination\nof risk to agency operations. The only activities that must be performed by the authorizing\nofficial (i.e. government employee), is the actual security accreditation decision and the signing\nof the accreditation letter. However, agency officials retain ultimate responsibility for the results\nof actions performed by individuals in delegated roles.\n\nDepartment staff stated that the intent of the contract was to purchase the contractor\xe2\x80\x99s expertise\nin conducting the C&A process. At one point, the contractor offered the Department raw data\nobtained during performance of the contract, and upon which its recommendations were based,\nbut Department officials did not want the information stating they had no one qualified to review\nit. Based on OIG\xe2\x80\x99s inquiries related to this and other reviews, the contractor later provided the\nDepartment with its vulnerability scans for 7 of the 10 Tier 4 systems, but other information\ndeveloped in its analyses to support the certification recommendations had been destroyed as the\nDepartment did not want the data and there was no requirement to maintain it. As a result, we\ncould find no information to support the decisions made by the contractor and its certification\nrecommendation to the Department.\n\nSince detailed information was not submitted, the Department may not be fully aware of what\nvulnerabilities were noted and corrected prior to the completion of the C&A process. In fact,\nwhen questioned as part of this review, neither the Department nor the contractor could initially\nprovide information as to which systems, if any, received penetration testing as part of the C&A\n\nED-OIG/S19-E0015                                                                     Page 17\n\x0cprocess. Information on the issues or vulnerabilities, and the actions taken to correct them,\nwould be helpful to the Department in avoiding similar mistakes in the future, as well as\nproviding information on the performance of system managers or other contractors responsible\nfor the security and operation of the Department\xe2\x80\x99s systems. Detailed information on the C&A\nprocess and results could allow Department staff conducting C&A reviews in the future to\nevaluate the work performed by this contractor and build on that to identify recurring problems\nor improvements that have been made. The Department missed a significant opportunity to\nobtain management information by not requiring the contractor to provide full documentation of\nthe ana lyses and decisions made in the process.\n\nThe information provided by the C&A contractor does not meet the purpose of the NIST\nguidance \xe2\x80\x93 to help achieve more secure information systems by (1) enabling consistent,\ncomparable and repeatable assessments, (2) promoting a better understanding of risks, and (3)\ncreating more complete, reliable and trustworthy information to facilitate more informed security\naccreditation decisions. With only the very limited information provided by the contractor, the\nDepartment is not able to satisfy these requirements.\n\nThe Department should review the appropriateness of the decisions made by the contractor in\norder to ensure that the work performed by the contractor was thorough and complete and met\nthe objectives of the Department\xe2\x80\x99s C&A process and the requirements of the contract. Since the\nDepartment had not previously dealt with this contractor, it was not justified in placing a high\namount of trust in an unknown source.\n\nEffective July 13, 2004, the Department recently modified the C&A contract to recertify and\naccredit, or validate the existing certification and accreditation, of many systems, including all of\nthe 10 Tier 4 systems reviewed. The modified PWS required additional documentation and\nreports that represent an improvement over the prior PWS. However, as noted in Finding 1,\nsignificant improvement in contract management is needed to ensure that the required\ndeliverables are provided and meet acceptance criteria.\n\n\nRecommendations:\n\nWe recommend that the Chief Financial Officer, in conjunction with the Assistant Secretary for\nManagement and Chief Information Officer, take actions to:\n\n   2.1\t Review the current PWS and ensure that sufficient documentation is required to support\n        C&A recommendations and decisions.\n\n   2.2\t Ensure that all future performance work statements for C&A contracts include\n        requirements for documentation supporting scans, tests, and analyses conducted, and\n        decisions made on the risks and mitigating factors considered, in support of the\n        contractor\xe2\x80\x99s C&A recommendations.\n\n\n\n\nED-OIG/S19-E0015\t                                                                    Page 18\n\x0cDepartment Response\n\nThe Department did not concur with this finding, but concurred with both recommendations.\n\nOIG Comments\n\nSee Attachment 3 for detailed comments to the Department\xe2\x80\x99s response.\n\n\n\n\nED-OIG/S19-E0015                                                              Page 19\n\x0c                                  OTHER MATTERS\n\n\n\nDuring our audit, as discussed in Finding 1, the Department stated that a verbal agreement with\nthe contractor was made regarding the definition of a vulnerability scan/penetration test finding.\nThe Department further stated that the vulnerability scans and penetration tests conducted as part\nof the C&A review for the 10 Tier 4 systems did not result in any findings, so deliverables such\nas testing reports were not required. However, no evidence was available to support these\nstatements, or the contractor\xe2\x80\x99s determination that the scans resulted in no findings. Department\nstaff stated, and the contractor confirmed, that the analyses of scan results had been destroyed\nand were not available for review. As discussed in Finding 2, the PWS did not require the\ncontractor to provide or maintain documentation supporting its conclusions and\nrecommendations.\n\nThroughout the review, OIG experienced delays in obtaining information from Department staff.\nOCIO staff had difficulty locating deliverables, and/or determining what documents, if any, the\ncontractor provided to satisfy deliverable requirements. OCIO files were not complete and did\nnot include evidence of inspection and acceptance or rejection of deliverables. Some\ndeliverables that the Department stated were provided could not be located. Specifically, the\nfollowing deliverables were not provided or could not be located \xe2\x80\x93 testing agreements, evidence\nthat testing was conducted, test reports, certification recommendation report, and minutes of\nsystem owner and certifier out briefs. OCIO staff reported that a number of verbal agreements\nwere made with the contractor regarding the scope of work, but no documentation existed to\nsupport any of these agreements.\n\nIn response to our draft report, the Department initially provided a response on October 4, 2004.\nThe Department retracted that response on October 7, 2004. An amended response was provided\non October 12, 2004. The Department retracted that response on October 14, 2004. The final\nresponse was provided on October 18, 2004. Some information in the response conflicted with\ninformation provided to us by Department officials during our review.\n\nThe conflicting information and multiple responses to the draft report received from the\nDepartment, along with our difficulties in obtaining information, indicate a lack of familiarity\nwith contract requirements and with work actually accomplished. This supports our conclusion\nthat the Department did not effectively manage the contract. It also lessens the Department\xe2\x80\x99s\ncredibility with regard to any statements provided by Department management and staff during\nour review, especially in the absence of supporting documentation. As a result, we were\npresented with a scope limitation, in that we were unable to determine whether the vulnerability\nscans performed as part of the C&A effort resulted in any findings that should have been\nreported to management. As such, we were not able to determine whether some related\ndeliverables should have been provided.\n\n\n\nED-OIG/S19-E0015                                                                  Page 20\n\x0c              OBJECTIVE, SCOPE, AND METHODOLOGY\n\n\n\nThe objective of our audit was to determine the effectiveness of the Department\xe2\x80\x99s management\nof the C&A contract. Our audit was limited to review of deliverables related to the\ndocumentation review and vulnerability scans/penetration testing sections of the contract for the\ninitial 10 Tier 4 systems subjected to the C&A process. Our audit evaluated activity under the\nC&A contract for these systems during the period June 25, 2003, through December 31, 2003.\nSee Attachment 1 for further information on Tier 4 systems and the 10 systems included in our\nreview.\n\nTo accomplish our objective, we obtained an understanding of the requirements for the C&A\nprocess, and for contract management and monitoring. We reviewed applicable laws and\nregulations, guidance on the C&A process provided by NIST and Departmental polices and\nprocedures. We conducted interviews with OCIO and OCFO staff responsible for managing the\nC&A process and contract. We also interviewed staff from the C&A contractor. We obtained\nand reviewed documentation from OCIO and OCFO hard copy contract files, electronic files\nmaintained by OCIO, and documentation from the C&A contractor.\n\nTo perform our audit, we reviewed the contract requirements for all deliverables related to the\ndocumentation review and vulnerability scans/penetration testing sections of the original\ncontract. We obtained and reviewed documents submitted for those deliverables to determine\nwhether the documents met the acceptance criteria specified in the contract.\n\nUse of computer-processed data for this assignment was limited to payments made to the\ncontractor in the Department\xe2\x80\x99s Financial Management Services System (FMSS). We matched\nthe FMSS payment data to hard copy invoices submitted by the contractor to determine whether\namounts on the invoices were the amounts paid. We noted no discrepancies in this review.\nBased on this assessment, we concluded the data was sufficiently reliable to support the amount\nof payments made to the contractor.\n\nThe conflicting information and multiple responses received from the Department, along with\ndifficulties experienced obtaining information, and lack of documentation, reflects negatively on\nthe Department\xe2\x80\x99s credibility, and presented a scope limitation for our audit. We were unable to\ndetermine whether the vulnerability scans performed as part of the C&A effort resulted in any\nfindings that should have been reported to management. As such, we were not able to conclude\nwhether deliverables regarding vulnerability scanning and penetration testing should have been\nprovided by the contractor. This scope limitation is discussed further in the OTHER MATTERS\nsection of this report.\n\n\n\n\nED-OIG/S19-E0015                                                                  Page 21\n\x0cWe performed our fieldwork at applicable Department of Education offices in Washington, DC,\nduring the period April 2004 through August 2004. We held an exit conference with Department\nmanagement on August 2, 2004. Our audit was performed in accordance with generally\naccepted government auditing standards appropriate to the scope of the review as described\nabove.\n\n\n\n\nED-OIG/S19-E0015                                                             Page 22\n\x0c                 STATEMENT ON INTERNAL CONTROL\n\n\n\nAs part of our review, we performed a limited assessment of internal control applicable to the\nDepartment\xe2\x80\x99s management of the C&A contract. Our review was limited to identification and\nreview of laws, regulations, guidelines, and Department policies and procedures related to the\nC&A process and contract management. We compared these requirements to the actual process\nfollowed to manage the C&A contract.\n\nBecause of inherent limitations, the assessment made for the limited purpose described above\nwould not necessarily disclose all material weaknesses in the internal control. However, our\nassessment disclosed significant internal control weaknesses that adversely affected the\nDepartment\xe2\x80\x99s ability to effectively manage the C&A contract. These weaknesses and their\neffects are fully discussed in the AUDIT RESULTS section of this report.\n\n\n\n\nED-OIG/S19-E0015                                                                Page 23\n\x0c                                                                                              Attachment 1\n                                                                                                Page 1 of 1\n\n\n\n\n                                       TIER 4 SYSTEMS\n\n\n\n\nThe PWS, Section 4.1, equates the Department\xe2\x80\x99s \xe2\x80\x9ctiers\xe2\x80\x9d of systems to the security classification\nlevels (SCLs) in NIST Special Publication 800-37. The PWS states:\n\n         SCL-1 is appropriate for systems that raise low levels of concern due to their\n        inherent risks. The Department classifies these systems as Tier 1 or 2. SCL-2 is\n        appropriate for systems that raise moderate levels of concern and are classified as\n        Tier 3 systems here at the Department. SCL-3 is appropriate for systems that\n        raise high levels of concern and are classified as Tier 4 systems.\n\nThe 10 Tier 4 systems specified in the contract were as follows:6\n\n        1.      EDNet\n        2.      Education Central Automated Processing System\n        3.      Federal Student Aid\xe2\x80\x99s Financial Management System\n        4.      Common Origination and Disbursement\n        5.      Central Processing System\n        6.      Direct Loan Consolidation System\n        7.      Direct Loan Servicing System\n        8.      National Student Loan Data System\n        9.      Postsecondary Education Participants System\n        10.     Virtual Data Center\n\nSection 4.1 of the PWS also states, \xe2\x80\x9cThe level of effort required to C&A a system varies\ndepending on the criticality (tier classification) of the system.\xe2\x80\x9d Tier 4 systems are considered the\nmost critical or highest risk, requiring the most significant level of effort in the C&A process.\nSpecifically, the PWS requires the most documentation from system owners and most validation\nactivities by the contractor for Tier 4 systems.\n\n\n\n\n6\n  The Common Services for Borrowers system was added as an additional Tier 4 system through Modification 0003\nto the contract. Our audit did not include review of the deliverables for this system.\n\x0c                                                                                    Attachment 2\n                                                                                      Page 1 of 4\n\n\n\n                 DETAILED RESULTS BY DELIVERABLE\n\n\n\n\nDocumentation Review:\n\nSection 4.1.1 of the PWS, entitled \xe2\x80\x9cC&A Documentation Review,\xe2\x80\x9d requires the contractor to\nreview security documentation for the systems to ensure they are complete, consistent, contain\nadequate security controls, and comply with Department, OMB, and other policy guidance. The\nPWS requires review of the following documentation for each system:\n\n   \xe2\x80\xa2\t   Risk Assessment (RA)\n   \xe2\x80\xa2\t   Systems Security Plan (SSP)\n   \xe2\x80\xa2\t   Configuration Management Plan (CMP)\n   \xe2\x80\xa2\t   Continuity of Support (COS) Plan (and Disaster Recovery Plans, if applicable), and\n   \xe2\x80\xa2\t   ST&E Plan\n\nDeliverable 4.1.1.2 requires the contractor to provide a document detailing findings from\ndocument reviews and staff interviews. Acceptance criteria for this document include that\nfindings should be consistent with Department, NIST, or best practice standards, should clearly\nexplain how risk levels for any findings were determined, and should include specific names of\nthose interviewed and exact locations of sit es visited.\n\nA Matrix of Observations was provided as the deliverable for this section. The following issues\nwere noted with the matrices provided:\n\n    \xe2\x80\xa2\t Matrices for 2 of the 10 systems did not include a section documenting the ST&E plan\n       review as required.\n    \xe2\x80\xa2\t Matrices for five of the systems included a sixth section for vulnerability\n       scans/penetration testing, but data was only included in this section for two of the five\n       systems. Since all 10 systems were to receive vulnerability scans/penetration testing, it\n       would seem that all 10 systems should have this section completed.\n    \xe2\x80\xa2\t Matrices were incomplete for six of the systems in that some entries in the Continuity of\n       Support plan did not have a risk impact listed, or listed \xe2\x80\x9cYes\xe2\x80\x9d as the risk without an\n       indication of the level of risk.\n    \xe2\x80\xa2\t We also found that the matrices did not meet acceptance criteria as the reports did not\n       clearly explain how risk levels were determined (criterion 2b), and findings did not\n       include specific names of those interviewed or locations of site visits (criterion 2c).\n\nWe matched the medium and high-risk issues noted in the matrices to determine whether the\nitems were also noted in the system owner out briefs, certification recommendation report, and\ncertifier out briefs. Only two systems had medium or high-risk items noted and all these items\nwere also reflected in the later documents reviewed.\n\x0c                                                                                     Attachment 2\n                                                                                       Page 2 of 4\n\n\nHowever, we noted that some medium or high-risk issues were noted in the system owner out\nbriefs, certification recommendation report, or certifier out briefs that were not noted in the\nmatrices. For example, we noted that these documents for the Virtual Data Center included two\nmedium risk issues regarding the configuration management plan that were not included in the\nmatrix of observations for that system.\n\n\nVulnerability Scans/Penetration Testing:\n\nSection 4.1.3 of the PWS states that vulnerability scans and penetration testing provide an\nassessment of a system\xe2\x80\x99s ability to withstand intentional attempts to compromise systems\nsecurity controls by exploiting vulnerabilities. The PWS states that the contractor shall develop,\nplan, and conduct vulnerability scans and penetration testing on all Tier 4 systems.\n\n\xe2\x80\xa2\t Rules of Engagement (4.1.3.1.1) \xe2\x80\x93 According to the PWS, this was to be a document\n   detailing agreement between the system owners and the contractor for vulnerability\n   scans/penetration testing. This requirement indicates that system-specific rules of\n   engagement would be developed. The contractor provided a general rules of engagement\n   document for vulnerability scans/penetration testing, and this document also indicated that\n   system-specific documents, to include appropriate signatures, contact information, dates of\n   the tests, and other information, would be developed. OCIO staff were not able to locate any\n   of the agreements for the 10 systems reviewed.\n\n   The general rules did not include the Department\xe2\x80\x99s agreement with the contractor that\n   penetration testing would not be performed if there was any possibility of bringing down a\n   system, nor did the general rules document include the definition of a finding as agreed upon\n   with the contractor. Both of these agreements were significant to the scope of work to be\n   performed under the contract, but the Department could provide no documentation of the\n   agreements, nor was the information provided to the CO for evaluation of the impact on the\n   scope of work and contract price. (See further discussion of this issue in Finding 1.)\n\n\xe2\x80\xa2\t Develop and Conduct Tests (4.1.3.1.3) \xe2\x80\x93 The contractor did not provide evidence that tests\n   were conducted. Acceptance criteria for this deliverable required the contractor to provide\n   \xe2\x80\x9cnon-damaging evidence that the test was performed.\xe2\x80\x9d OCIO staff stated that the\n   deliverables were email or verbal communication that the testing had been completed, but\n   OCIO could not locate any emails. OCIO staff stated that there was never any question that\n   the testing was completed. However, without evidence as required by the contract, there is\n   no assurance that the testing done was complete and appropriate.\n\n\xe2\x80\xa2\t Evaluate and Document Findings (4.1.3.1.4) \xe2\x80\x93 This task was to result in a document detailing\n   test findings and results. There were no particular requirements for the format of the\n   document, other than that it should be included as an appendix to the test report in the next\n   task. OCIO staff stated that there were no findings and therefore there were no deliverables\n   for this task.\n\x0c                                                                                      Attachment 2\n                                                                                        Page 3 of 4\n\n\xe2\x80\xa2\t Prepare Test Report (4.1.3.1.5) \xe2\x80\x93 This deliverable is a report detailing the methodology,\n   findings, etc., from the vulnerability scans and penetration testing. Eight specific acceptance\n   criteria were provided for the reports. OCIO staff stated that the deliverables for this task\n   were a white paper provided at the start of the C&A project which detailed the methodology\n   to be used, and the certifier out briefs (included in a later task). At least two of the\n   acceptance criteria under this task were not satisfied by the deliverables cited by OCIO.\n   Neither included the specific Internet Protocol address of the systems tested (criterion 1e), or\n   the tools used and the settings of the tools (criterion 1f).\n\n\xe2\x80\xa2\t System Owner Out Briefs (4.1.4.1.1) \xe2\x80\x93 This deliverable includes briefing slides that detail\n   major ST&E and penetration test (if applicable) methodology and findings. The out briefs\n   were to all have the same format, be consistent, free of spelling errors, etc. The contract\n   required that the system owner out briefs have the same format and contain all information\n   that will enable the system owner to implement necessary corrections, changes, or\n   resolutions. We found that the out briefs were incomplete as follows:\n\n       o\t Only 3 of the 10 briefings included an overview of the vulnerability scans/penetration\n          testing process, listing vulnerability scanning tools used. None of the briefings listed\n          the tool settings as required by the acceptance criteria.\n       o\t Only 2 of the 10 briefings included a page on vulnerability scans/penetration testing\n          that stated whether there were or were not findings.\n\n   Since the out briefs were not complete, the system owners did not have all the data needed to\n   make decisions or take corrective actions.\n\n\xe2\x80\xa2\t Conduct Brief and Record Minutes (4.1.4.1.3) \xe2\x80\x93 No minutes were recorded as required.\n   Neither the contractor nor OCIO staff were aware of this requirement. As such, there is no\n   record of the discussion, or of the agreements for corrective action to be taken.\n\n\xe2\x80\xa2\t Assurance that 2002 Risk Assessment Findings Have Been Mitigated (4.1.5) \xe2\x80\x93 While the\n   certifier out briefs included a page on risk assessments that stated \xe2\x80\x9cno issues noted,\xe2\x80\x9d there\n   was no information to support this conclusion. No data was provided on what the former risk\n   assessments were, or how they were mitigated. The matrices of observation stated only that\n   the 2002 Risk Assessment Reports documented recommendations to mitigate the\n   vulnerabilities, not that the vulnerabilities had actually been mitigated. As a result, the\n   Department cannot evaluate the appropriateness of the contractor\xe2\x80\x99s conclusions and has no\n   assurance that the risk assessme nt findings have been mitigated.\n\n\xe2\x80\xa2\t Certification Recommendation Reports (4.1.5.1.2) \xe2\x80\x93 The contract includes a deliverable that\n   details the system description, methodology, findings, recommendations, etc., and was to\n   follow the basic format of a Risk Assessment Report included as an Appendix to a\n   Department Directive. OCIO staff stated that after the first system manager\xe2\x80\x99s briefing, the\n   COR verbally instructed the contractor that this report was not required as long as the\n   methodology and specific findings were included in the certifier briefing. No documentation\n   of this instruction was provided, nor was the CO informed of this change in requirements and\n   elimination of this deliverable.\n\x0c                                                                                       Attachment 2\n                                                                                         Page 4 of 4\n\n\n   Further, we reviewed the requirements for the report and the certifier out briefs and found\n   several sections in the report were not covered in the certifier out briefs or other deliverables,\n   including the following \xe2\x80\x93 background, scope, structure, risk assessment approach (system\n   boundaries, information-gathering techniques, steps taken to complete the risk assessment\n   sections), system characterization, findings (existing mitigating security controls, impact\n   analysis discussion sections), and appendices (system diagram, anticipated major\n   changes/upgrades, glossary of terms, list of references, list of acronyms, list of key staff\n   members and contact information).\n\n   This deliverable would have provided detail on how the C&A process was completed. By\n   eliminating this requirement, OCIO reduced the amount of information to be provided by the\n   contractor, and therefore reduced its assurance that the C&A process was appropriately\n   performed.\n\n\xe2\x80\xa2\t Certifier Briefing Slides (4.1.5.1.3) \xe2\x80\x93 Similar to the system owner out briefs, we found that\n   that the certifier out briefs were not complete. Only 1 of the 10 briefings included\n   information on the vulnerability scans/penetration testing results or that no vulnerabilities\n   were found. As such, the certifier did not have complete information upon which to base the\n   certification decision.\n\n\xe2\x80\xa2\t Present executive brief, report, and letter to certifier, and record minutes, agreements, etc.\n   (4.1.5.2.2) \xe2\x80\x93 No minutes were recorded as required. As with the systems owner briefs,\n   neither the contractor nor OCIO staff were aware of this requirement.\n\x0c                                                                                   Attachment 3\n\n                                                                                    Page 1 of 21\n\n\n\n\n\n               OIG Comments to Department Response \n\n\n\nIn this attachment, the Department\xe2\x80\x99s response is presented in italics. OIG\xe2\x80\x99s comments to the\nDepartment\xe2\x80\x99s response are presented in standard type. The Department\xe2\x80\x99s entire response is\nprovided as Attachment 4.\n\nDepartment Response\n\n\nTO:           Helen Lew\n              Assistant Inspector General for Audit Services\n              Office of the Inspector General\n\nFROM:         Jack Martin\n              Chief Financial Officer\n              Office of the Chief Financial Officer\n\n              William Leidinger\n              Assistant Secretary for Management and the Chief Information Officer\n              Office of Management\n\nSUBJECT:      Draft Audit Report Management of the Department\xe2\x80\x99s Certification and\n               Accreditation Contract, Control Number ED-OIG/S19-E0015\n\nThis memorandum responds to the Office of the Inspector General (OIG) subject Draft Audit\nReport, dated August 19, 2004. The purpose of the audit was to determine the effectiveness of\nthe Department\xe2\x80\x99s management of the Certification and Accreditation (C&A) contract. The audit\nwas limited to the review of deliverables related to the documentation review and vulnerability\nscanning/penetration testing requirement of the contract to the initial 10 Tier 4 systems\nsubjected to the C&A process.\n\nIn general, the OIG found that the Department staff did not effectively manage the C&A contract\nand that improvements are needed in the Department\xe2\x80\x99s contract management process. The OIG\nreported that Department staff did not adequately track and inspect deliverables, gave\nunauthorized instructions to the contractor to reduce the scope of work to be performed, did not\ninform the contracting officer of changes in key personnel, and did not document evaluations of\ncontractor-submitted reports. The OIG also reported that the performance work statement for\nthe C&A contract did not require sufficient documentation to support C&A recommendations\nand decisions and that the initial services received from the C&A contractor did not provide\n\x0c                                                                                        Attachment 3\n\n                                                                                         Page 2 of 21\n\n\n\n\nmanagers with complete, supportable information upon which to base their certification\ndecisions.\n\nBackground\n\nThe Department had never before in its history completed the C&A of any IT system prior to the\npassage of the Government Information Security Reform Act in 2000. The Department began\ndeveloping its C&A program in 2001 with its first Plan of Action and Milestones (POA&M)\nsubmission to the Office of Management and Budget (OMB). Department production systems\nbegan preparing for National Institute of Standards and Technology (NIST) compliant Risk\nAssessments that were completed the summer of 2002. The resulting risk assessment findings\nwere incorporated into the Department\xe2\x80\x99s fiscal year 2002 POA&M. Systems across the\nDepartment applied the risk mitigation strategies described in NIST SP 800-30 while the\nDepartment further developed the C&A program.\n\nThe Department next launched an intensive effort to ensure that all Major Applications and\nGeneral Support Systems had a NIST compliant System Security Plan, Configuration\nManagement Plan and Contingency Plan (including a Disaster Recovery Plan for tier 3 and 4\nsystems). The Department also focused on developing standardized Security Test and\nEvaluation (ST&E) plans based on NIST and Department policies, standards and guidelines for\nconsistent testing of all Tier 3 and 4 systems. The resulting ST&E plans were intended to verify\nthat appropriate security controls existed and were functioning properly. The ST&E plans were\nnever intended to identify system vulnerabilities, but rather vulnerabilities or weaknesses in\nsecurity controls. Automated vulnerability scanning does not test the effectiveness of security\ncontrols, but instead identifies "potential" vulnerabilities in system configurations or software\nwithout taking into account the mitigating security controls in place. This approach for ST&E\nplans is supported by NIST Special Publication (SP) 800-37 Subtask 4.3, Security Assessment\nthat states:\n\n       SECURITY ASSESSMENT\n       SUBTASK 4.3: Assess the management, operational, and technical security controls in\n       the information system using methods and procedures selected or developed.\n       RESPONSIBILITY: Certification Agent.\n       GUIDANCE: Security assessment determines the extent to which the security controls\n       are implemented correctly, operating as intended, and producing the desired outcome\n       with respect to meeting the security requirements for the system. The results of the\n       security assessment, including recommendations for correcting any deficiencies in the\n       security controls, are documented in the security assessment report.\n\nEach security control element that was to be tested had a test title, impact statement if the system\ncontrol failed that particular test, test script with step-by-step instructions for executing the test,\nand expected results if the system control passed the test. This approach conformed to security\nindustry standards for an ST&E plan.\n\x0c                                                                                  Attachment 3\n                                                                                   Page 3 of 21\n\n\n\nThe Department further consulted with several consulting firms experienced with supporting\nC&A programs for both civilian and Department of Defense agencies. The Department visited\nseveral civilian agencies with established C&A programs to learn from their successes and past\nexperiences. The Department then wrote a Performance Work Statement (PWS) in order to\ncontract for an independent, experienced IT security review team.\n\nThe resulting C&A PWS was shared with the OIG IT security auditors. The Department asked\nfor assistance in ensuring that the C&A review described in the PWS would be adequate and\nmeet Federal standards. The Department asked the OIG to assist in developing IT security\nstandards that Agency systems should meet and against which these systems would be reviewed\nin the C&A program. In both instances, the OIG indicated that both of these activities were ED\nmanagement responsibilities. The OIG did, however, provide checklists consisting of over 1000\nquestions used in their annual FISMA reviews. The checklists, however, did not include any\nassociated risk levels with these questions or indicate the impact of mitigating controls. The\nOIG also provided a list of the automated vulnerability scanning tools that they use in their\nannual FISMA reviews. The assistance provided by the OIG was very much welcomed and\nappreciated.\n\nRealizing the importance to the Department and high visibility of the C&A effort, the\nDepartment made every effort to ensure that sufficient resources were dedicated to manage the\nC&A contract. The Office of the Chief Information Officer (OCIO) did not have all of the\nrequired contracting, C&A subject matter expertise and project management skills in a single\nstaff member. The Chief Information Officer (CIO), therefore, assigned the most experienced\nContracting Officer\xe2\x80\x99s Representative (COR) to this project, as well as the entire Information\nAssurance staff to serve as subject matter experts in support of the COR. No one in OCIO, at the\ntime, was both certified as a project manager and had experience with projects of similar size\nand scope. The CIO, therefore, contracted for a certified project manager who did meet these\nqualifications. These individuals formed the team designated to oversee the execution of the\nC&A contract. This team established several working groups that included key system owner\nrepresentatives. The CIO met weekly with the management team, key system owner\nrepresentatives, and the C&A contractor to ensure the success of the C&A effort.\n\nThe C&A contractor utilized the same scanning tools used by OIG for the FY03 FISMA audit\nduring the CRG\xe2\x80\x99s C&A reviews of Mission Critical systems. The contractor did not, however,\nevaluate the resulting scan tool \xe2\x80\x9chits\xe2\x80\x9d to have the same importance or relevance, as did the\nOIG. The contractor used an approach as described in NIST SP 800-42 that states on pages 3\xc2\xad\n4:\n\n       However, vulnerability scanners have some significant weaknesses. Generally, they only\n       identify surface vulnerabilities and are unable to address the overall risk level of a\n       scanned network. Although the scan process itself is highly automated, vulnerability\n       scanners can have a high false positive error rate (reporting vulnerabilities when none\n       exist). This means an individual with expertise in networking and operating system\n       security and in administration must interpret the results.\n\x0c                                                                                     Attachment 3\n                                                                                      Page 4 of 21\n\n\n\n\nThe Department contracted for the IT security expertise provided by the C&A contractor. The\nDepartment asked the C&A contractor to interpret the results of the scans. The C&A contractor\ndid not believe that the scan \xe2\x80\x9chits\xe2\x80\x9d identified anything significant regarding the existence of\nproper functioning of the related system security controls.\n\nThe C&A PWS asked the contractor to provide a report of any findings resulting from the\nvulnerability scanning and penetration testing. A definition of finding was not included in the\nPWS. The C&A contractor asked the Government to provide a definition. The OCIO\nInformation Assurance staff provided a definition based on the only other source of \xe2\x80\x9cfindings\xe2\x80\x9d\nwith which they were familiar, namely OIG audits. A finding in an OIG audit is something that\nneeds to be brought to the attention of the senior management official and needs to be\nsubsequently corrected. The C&A contractor did not, in their professional opinion, identify\nanything from the vulnerability scanning and penetration testing that met this definition.\n\nOIG Comments\n\nAs discussed in Finding 2 and in the OTHER MATTERS section of this report, the contract did\nnot require the contractor to provide or maintain documentation supporting its conclusions, and\nDepartment staff stated analyses of scan results were destroyed. As a result, the Department\ndoes not have any documentation to support the contractor\xe2\x80\x99s determination that the scan \xe2\x80\x9chits\xe2\x80\x9d\ndid not identify any significant issues. Should any questions arise during the certification\ndecision, the contractor should have the information available to resolve such questions.\n\nThe Department states that it based its definition of a \xe2\x80\x9cfinding\xe2\x80\x9d on its interpretation of what\nconstitutes a finding in an OIG audit. However, an OIG audit includes documentation of tests\nperformed, information reviewed and evaluated, and the results of those reviews and evaluations,\nregardless of whether there were issues that needed to be reported to management. Using the\nDepartment\xe2\x80\x99s analogy, it is reasonable to expect that the C&A contractor could provide similar\ndocumentation to support its conclusions. As discussed in the report, the Department did not\ndocument its definition of a finding, or the agreement with the contractor as to what constitutes a\nfinding. As a result, the contractor may have interpreted the definition in a manner not consistent\nwith the Department\xe2\x80\x99s intent. Since documentation does not exist for what was or was not\ndetermined to be a finding, the Department does not have any assurance that the contractor\nfollowed its guidance on the definition of a finding in analyzing and reporting scan results.\n\nSection 4.1.3 of the PWS, \xe2\x80\x9cVulnerability Scan and Penetration Testing,\xe2\x80\x9d states that vulnerability\nscans and penetration testing provide assessments of a system\xe2\x80\x99s ability to withstand intentional\nattempts to compromise system security controls by exp loiting vulnerabilities. Without\ndocumentation that the tests were performed, and the results of those tests, whether favorable or\nunfavorable, the Department has only the verbal assurances of a contractor, with whom the\nDepartment has no previous experie nce, on the system\xe2\x80\x99s ability to withstand attempts to\ncompromise controls.\n\x0c                                                                                     Attachment 3\n\n                                                                                      Page 5 of 21\n\n\n\n\nDepartment Response\n\nThe C&A PWS also asked the contractor to take minutes at all out briefings and to provide a\nfinal C&A review report similar to the report format used for the previous system risk\nassessments. The intent was to ensure that the review methodology was clearly explained and\nthat resulting findings, including associated risk level and recommended corrective action, were\nprovided. When the C&A contractor provided advanced copies of their C&A briefing report, the\nC&A project management team believed that these materials fully met the intent of the reporting\nformat, as well as the intent of the requirement regarding the taking of minutes. The COR\nverbally changed these requirements and the work continued with these modifications. OCIO\nInformation Assurance staff believed that this experienced COR was following all of the\nDepartment\xe2\x80\x99s contract procedures.\n\nOIG Comments\n\nDuring our review, neither the contractor nor OCIO staff were familiar with the requirement for\nminutes of the meetings. It does not seem reasonable, therefore, that the COR accepted the\nbriefing report as meeting the deliverable requirements for the minutes. Neither the contractor\nnor OCIO staff mentioned a verbal change to eliminate the requirement for the minutes as is\nstated in the Department\xe2\x80\x99s response. If the requirement for the deliverable had been eliminated,\nthere was no documentation of this decision, nor was the CO made aware of the change in\ncontract requirements so that an evaluation of any impact on the contract price could be made.\n\nIn addition, OCIO management stated during our review that items that were missing from the\nsystem and certifier outbriefs were covered verbally during the briefings. Had minutes been\ntaken, this information would have been captured. Documents prepared prior to a meeting\ncannot capture key discussion items that may arise during meetings.\n\nOCIO staff did state that after the first system manager\xe2\x80\x99s briefing, the COR verbally instructed\nthe contractor that the Certification Recommendation Report was not required as long as the\nmethodology and specific findings were included in the certifier briefing. As detailed in the\naudit report, we found that numerous sections in the Certification Recommendation Report,\nincluding sections dealing with the methodology (risk assessment approach, system boundaries,\ninformation-gathering techniques, steps taken to complete the risk assessment sections), were not\ncovered in the certifier out briefs or other deliverables. No documentation of this instruction was\nprovided, nor was the CO informed of this change in requirements and elimination of this\ndeliverable.\n\nIn Modification 0005 to the contract, the Department included requirements for a \xe2\x80\x9cFinal Security\nAssessment Report.\xe2\x80\x9d This report includes essentially the same acceptance criteria as were\nincluded for the Certification Recommendation Report discussed above that OCIO staff stated\nwas determined not to be needed during the original contract performance. This new report\nrequirement indicates that Department staff determined that this information was needed for the\nC&A process.\n\x0c                                                                                    Attachment 3\n\n                                                                                     Page 6 of 21\n\n\n\n\nDepartment Response\n\nThe designated C&A contract COR left the Department in the fall of 2003 following the\ncompletion of the first round of C&A. A second OCIO COR was identified. All of the\ndeliverables for the second and third rounds of C&A were of the same quality and type as had\nbeen accepted under the first round. Everyone believed that proper procedures had been\nfollowed. Everyone was satisfied with the content and quality of deliverables and believed that\nthe Department was properly moving forward to C&A all its systems and meet OMB\xe2\x80\x99s timeline.\n\nOIG Comments\n\nThe Department states that all of the deliverables for the second and third rounds of C&A were\nof the same quality and type as accepted under the first round. This indicates that problems\nnoted in our review, which encompassed the first and second rounds of C&A, continue into the\nthird round.\n\nThe Department states, \xe2\x80\x9cEveryone was satisfied with the content and quality of the deliverables. .\n..\xe2\x80\x9d However, there was no documentation of inspection and acceptance of the deliverables, and\nthe CO was not informed that requirements for the deliverables had been changed. Modification\n0005 included requirement to repeat work performed under the original contract, indicating there\nwere indeed deficiencies with the original work performed.\n\n\nDepartment Response\n\nComments on the Draft Audit\n\nThe Department acknowledges that it could have improved contract monitoring efforts by\nreminding the COR of his/her basic contract monitoring responsibilities and limitations,\nspecifically that\n\n   \xef\xbf\xbd   CORs, when using other Department staff and contractor project management support to\n       assist with contract monitoring, are ultimately accountable to the contracting officer for\n       the responsibilities in contract monitoring, and\n   \xef\xbf\xbd   CORs are not authorized to direct changes to the contract and that CORs must\n       communicate with their contracting officers to form a cooperative working relationship\n       so that when changes are needed to contract requirements, the contracting officer can\n       authorize such changes provided they are in the Government\xe2\x80\x99s best interest.\n\nHowever, while acknowledging that contract related processes early in the C&A contract period\ncould have been performed to more closely adhere to the Department\xe2\x80\x99s contract procedures and\npolicies, the Department does not concur in whole, with the findings of the draft audit. The\nDepartment believes that the C&A contractor\xe2\x80\x99s performance met the objectives of the contract in\n\x0c                                                                                             Attachment 3\n                                                                                              Page 7 of 21\n\n\n\nsupport of the C&A program. A response to specific points in the draft audit is provided in the\nfollowing.\n\nOIG Comments\n\nThe Department states above its belief that \xe2\x80\x9c. . .the C&A contractor\xe2\x80\x99s performance met the\nobjectives of the contract in support of the C&A program.\xe2\x80\x9d The PWS states, \xe2\x80\x9cThe Department\xe2\x80\x99s\nprimary goal is to meet the C&A schedule as described under the Scope section of this\ndocument.\xe2\x80\x9d The Scope section states the Department\xe2\x80\x99s intent to certify and accredit 10 systems\nby September 30, 2003, and an additional 15 systems by December 31, 2003. The Department\ndid certify and accredit the systems as specified in the scope. As such, the Department\xe2\x80\x99s\nstatement is accurate that the C&A contractor\xe2\x80\x99s performance met the objectives of the contract \xe2\x80\x93\nto meet the schedule. However, due to changes made by the Department, and ineffective\ncontract monitoring, we found that the contractor did not provide all deliverables originally\nrequired under the contract, and some deliverables provided did not meet acceptance criteria. As\na result, the Department did not have information to support the decisions made by the contractor\nduring its review, and the contractor\xe2\x80\x99s certification recommendations to the Department. The\nDepartment paid for work that was not performed under the contract.\n\n\nDepartment Response\n\n           Finding No. 1 \xe2\x80\x93 Department Staff Did Not Effectively Manage the C&A\n                          Contract.\n\nThe Department agrees that as defined by ACS OCFO:2-108, Contract Monitoring for Program\nOfficials, it is the policy of the Department to monitor every contract to the extent appropriate to\nprovide assurance that the contractor performs the work called for in the contract, and to\ndevelop a clear record of accountability for performance. Elements of importance to the\nDepartment when monitoring for contractor performance include: contractor performance\noutcomes and specifications, timeliness, quality, and cost control. The PWS for the C&A\ncontract stated that the scope of the PWS covers the responsibilities and activities of Phase 3,\nValidation of the C&A process and that the C&A contractor shall perform technical certification\nactivities on behalf of the Certifier, and that the Department\xe2\x80\x99s primary goal is to meet the C&A\nschedule described under the Scope section of this document.7\n\n           a.\t The COR, other OCIO staff, and the project management contractor, did not\n               adequately track and inspect deliverables to ensure that contract requirements were\n               met.\n\nThe Department specified process outputs, deliverables, acceptance criteria, and dates due. The\nOIG reports that deliverables were not provided.\n\n7\n    PWS, Section 3 \xe2\x80\x93 Scope, and Section 4- Task 4.1, \xe2\x80\x9cCertification Review Group Support\xe2\x80\x9d.\n\x0c                                                                                    Attachment 3\n\n                                                                                     Page 8 of 21\n\n\n\n\n\nThe Department disagrees with the following.\n\nRules of Engagement, Evidence that Vulnerability Scans/Penetration Testing was Conducted,\nMinutes for System Owner and Certifier Out Briefs. The COR accepted the single rules of\nengagement deliverable from the contractor as meeting this requirement for all of the systems.\nSystem managers required testing agreements that detailed when and how the tests would be\nconducted. These agreements were negotiated at meetings attended by C&A contract\nmanagement team members. It is not possible to complete the scanning logistics at the VDC,\nRockville, EDNet or COD without establishing these agreements. This is standard practice and\ncommon knowledge. The audit occurred four to six months after the end of the related contract\nperiod. Although OCIO has not been able to locate any copies of these agreements, it would not\nhave been possible for ICS to execute the scans and ST&E tests without such agreements. The\nCOR accepted the communications at the weekly working group meetings that confirmed non-\ndamaging execution of the vulnerability scans and penetration testing as the related deliverable.\nThe COR accepted the Microsoft PowerPoint report as meeting the deliverable requirements for\nthe minutes.\n\n\nOIG Comments\n\nRules of Engagement/Testing Agreements\n\nThe Department could not provide any documentation to support that the COR accepted the\ngeneral rules of engagement document for all systems. The general rules of engagement stated\nthat system-specific documents, to include appropriate signatures, contact information, dates of\nthe tests, and other information, would be developed. This information was not included in the\ngeneral rules document. Acceptance criteria for this deliverable also included system-specific\nrules.\n\nDuring our review, OCIO staff stated in an email on July 28, 2004, \xe2\x80\x9cWe had one Rules of\nEngagement and then separate testing agreements. We are looking for copies of the testing\nagreements.\xe2\x80\x9d At the exit conference on August 2, 2004, OCIO staff stated that they could not\nlocate any of the testing agreements. OCIO staff stated that they had asked for these documents\nfrom both the system owners and the contractor and no one could find the agreements for any of\nthe 10 Tier 4 systems. In its response above, the Department stated that although no copies of\nthe agreements had been found, it would not have been possible to execute the scans and ST&E\ntests without such agreements. It seems highly unlikely if such agreements were developed, as\nthe Department states is \xe2\x80\x9cstandard practice and common knowledge,\xe2\x80\x9d that not one copy could be\nlocated for any of the 10 systems. Without documentation, the Department cannot conclude that\nthe testing agreements were developed as required by the general rules statement. This,\ncombined with a lack of evidence that testing was completed and a lack of testing reports as\ndiscussed below, results in the fact that there is no documentation of what testing was actually\nperformed.\n\x0c                                                                                       Attachment 3\n\n                                                                                        Page 9 of 21\n\n\n\n\n\nEvidence that Vulnerability Scans/Penetration Testing Was Conducted\n\nAs stated in the report, acceptance criteria for this deliverable required the contractor to provide\n\xe2\x80\x9cnon-damaging evidence that the test was performed\xe2\x80\x9d (emphasis added). During our review,\nOCIO staff stated that the deliverables consisted of emails or verbal communications that the\ntesting had been completed, but OCIO staff could not locate any emails. OCIO staff stated there\nwas never any question that the testing was completed. However, without evidence as required\nby the contract, there is no assurance that the testing done was complete and appropriate.\n\nMinutes for System Owner and Certifier Out Briefs\n\nThe Department stated, \xe2\x80\x9cThe COR accepted the Microsoft PowerPoint report as meeting the\ndeliverable requirements for the minutes.\xe2\x80\x9d\n\nThe Department\xe2\x80\x99s response to the System Owner Out Briefs section below states, \xe2\x80\x9c. . .the\nDepartment acknowledges that some of the items were verbally reported by the CRG.\xe2\x80\x9d The\nPWS under 4.1.4 states,\n\n       The purpose of these out briefs is to inform the system owners of the certification\n       review results and to document any specific action items and agreements that\n       come out of the meetings.\n\nWithout minutes of the meetings, there is no documentation of who attended, of action items and\nagreements, or of the items that the Department states were verbally reported.\n\nDuring our review, neither the contractor nor OCIO staff were familiar with the requirement for\nminutes of the meetings. It does not seem reasonable, therefore, that the COR accepted the\nPowerPoint report as meeting these deliverable requirements. Neither the contractor nor OCIO\nstaff ment ioned a verbal change to eliminate the requirement for the minutes as is stated in the\nDepartment\xe2\x80\x99s response. There was no documentation of such a decision, nor was the CO made\naware of the change in contract requirements so that an evaluation of any impact on the contract\nprice could be made.\n\n\nDepartment Response\n\nMatrices of Observations, Vulnerability Scans/Penetration Testing Reports, System Owner and\nCertifier Out Briefs. The matrices of observation were not a required deliverable. They were\nwork papers that supported the required deliverable of analysis of the security documentation.\nThe required analysis was provided in the out brief presentation. The contractor voluntarily\nprovided the Matrices of Observations for most systems on the CDs that included contract\nrequired deliverables at the time of Certifier Out Briefings. The Matrices of Observations were\nnot, however, deliverables required under the contract. After the initiation of the C&A contract\n\x0c                                                                                       Attachment 3\n                                                                                       Page 10 of 21\n\n\n\naudit and OIG began to ask questions about the Matrices of Observations, OCIO included the\nmatrices in the analysis of everything ICS provided to the Department. This analysis was\ntracked in an Excel Workbook. The Excel workbook was never used during the related contract\nperiod to track required deliverables. The COR required vulnerability scanning and penetration\ntest reports for items that the contractor believed should be brought to the attention of the\nCertifier. Since there were no such items, there were no related deliverables. While the\nDepartment agrees that the briefing reports were not totally consistent, the out briefs did meet\nthe deliverable requirements; although the Department acknowledges that some of the items\nwere verbally reported by the CRG. The Department takes further exception to the OIG\nassertion that the deliverables did not meet the acceptance criteria. The COR judged the\ndeliverables referenced in this sub-finding as meeting the acceptance criteria.\n\nOIG Comments\n\nMatrices of Observations\n\nOn May 25, 2004, OCIO provided by email an Excel file entitled \xe2\x80\x9cC&A Deliverable Analysis.\xe2\x80\x9d\nIn the accompanying message, OCIO staff stated, \xe2\x80\x9cAttached is a workbook that provides the\ncurrent status of the quality review OCIO is completing on all of the ICS deliverables under the\nC&A contract.\xe2\x80\x9d The matrices of observation were included in this worksheet as a deliverable\nbeing tracked by OCIO. In its response above, the Department stated that OCIO included the\nmatrices in the analysis after the OIG began asking questions about them. However, OIG\xe2\x80\x99s\nreview was initially limited to review of the vulnerability scans/penetration testing deliverables,\nnot those from the documentation review portion of the contract. OIG did not ask about the\nmatrices until July 2, 2004, as discussed further below. As such, the Department was tracking\nthe matrices as a deliverable prior to OIG\xe2\x80\x99s inquiries.\n\nIn an email on July 2, 2004, from OIG to OCIO, OIG staff stated,\n\n       . . .I\xe2\x80\x99m looking for the Matrix of Observations (MOOs) for the following systems.\n       . .I\xe2\x80\x99m assuming that this is what was used to report out on the results of ICS\xe2\x80\x99s\n       documentation review for each system. Please advise if I am incorrect here in\n       assuming that the MOOs were the documentation review deliverables.\n\nOCIO staff responded by providing the additional matrices requested by OIG. OCIO did not at\nthat time clarify that the matrices did not represent the deliverables for the documentation\nreview, or that the matrices were not deliverables at all. At the exit conference where the\ndetailed information from the audit was presented, including the attachment to the draft audit\nreport that reported issues for each deliverable area and identified the matrices as the deliverable\nfor the documentation review, OCIO staff did not mention that the matrices were not the\ndeliverables for this area. Further, if the Department now asserts that the matrices of\nobservations were not the deliverables under this section, then no deliverables were provided for\nthe Documentation Review.\n\x0c                                                                                      Attachment 3\n\n                                                                                      Page 11 of 21\n\n\n\n\nVulnerability Scans/Penetration Testing Reports\n\nIn its response, the Department stated,\n\n       The COR required vulnerability scanning and penetration test reports for items\n       that the contractor believed should be brought to the attention of the Certifier.\n       Since there were no such items, there were no related deliverables.\n\nDuring our review, OCIO staff stated that the deliverables for this task were a white paper\nprovided at the start of the C&A project, which detailed the methodology to be used, and the\ncertifier out briefs. However, as stated in the audit report, these documents did not meet all\nacceptance criteria required for the testing reports \xe2\x80\x93 specifically, these documents did not include\nthe Internet Protocol address of the systems tested and the tools used and setting for the tools.\nCombined with the lack of testing agreements, lack of evidence that testing was completed as\ndiscussed above, and documentation supporting the contractor\xe2\x80\x99s analysis of scan results being\ndestroyed, the Department cannot determine whether the tests performed were appropriate. In\naddition, it would seem reasonable that negative reports could have been prepared by the\ncontractor to provide the Department with documented assurance that there were no issues noted\nthat should be brought to the attention of management.\n\nSystem Owner and Certifier Out Briefs\n\nThe Department acknowledged the out briefs were not consistent. The out briefs did not contain\nall information required by the contract, and the Department also stated that some items were\nreported verbally. As such, the out briefs clearly did not meet acceptance criteria and should not\nhave been accepted by the COR. There was no documentation of acceptance of any deliverables\nby the Department. Since no minutes were kept of the out briefs, there was no documentation to\nsupport the Department\xe2\x80\x99s statement that some items were reported verbally and not included in\nthe out brief slides.\n\n\nDepartment Response\n\nAssurance that 2002 Risk Assessment Findings Have Been Mitigated. The OIG further reports\nthat the contractor did not report on whether issues noted in the 2002 risk assessments had been\nmitigated as required by the contract. The Department submits that no system entered the C&A\nprocess with open risk assessment findings. All system managers stated in writing, that all risk\nassessment findings had been corrected. The C&A contractor verbally confirmed that all risk\nassessment findings had been addressed. The COR accepted this verbal confirmation, in concert\nwith the documentation provided by system managers, as meeting the deliverable requirement.\n\x0c                                                                                       Attachment 3\n\n                                                                                       Page 12 of 21\n\n\n\n\nOIG Comments\n\nThe PWS required the contractor to \xe2\x80\x9c. . .provide assurance that all risk assessment findings that\nare categorized as high and medium have been mitigated. . ..\xe2\x80\x9d In its response, the Department\nstated that the contractor provided and the COR accepted verbal confirmation that all risk\nassessment findings had been addressed. Without documentation, the Department cannot\nevaluate the appropriateness of the contractor\xe2\x80\x99s conclusions or determine what the contractor\nactually did to assure the findings were mitigated.\n\n\nDepartment Response\n\nInconsistency Between Matrices of Observations and System Owner and Certifier Out Briefs.\nLastly, the OIG reports that issues reported in the matrices of observations were not consistent\nwith issues reported in the system owner and certifier out briefs. As stated previously, the\nmatrices of observations were not a deliverable under this contract. These documents reflect the\ninitial review of the security documentation by the C&A contractor. It was an established and\ngovernment approved process to allow the system manager to correct any findings during the\nreview and thereby remove such findings from the resulting report. The C&A review was never\nintended to be an audit, but rather a report of the security posture of the system in question at the\ntime of the Certifier briefing. All issues listed in the matrices of observations that were not in out\nbriefs were validated as corrected prior to the out briefs.\n\nOIG Comments\n\nOIG acknowledges that items corrected during the process would not appear in subsequent\ndocuments. However, OIG reported that the subsequent documents reported issues that were not\nincluded in the matrices, an earlier document in the process. As such, the matrices were\nincomplete and did not report all issues. The inconsistency in the reports should have been noted\nand resolved to determine why the matrices did not include the issues that were noted in\nsubsequent documents. The fact that complete and consistent products were not provided by the\ncontractor may indicate issues with the quality of the work performed.\n\n\nDepartment Response\n\n       a(1) Deliverables were not adequately tracked and inspected for 3 reasons.\n\nOCIO Fragmented Contract Management Responsibilities\n\nThe Department agrees that per Department policy, the COR is responsible to the contracting\nofficer for monitoring the programmatic or technical aspects of the contract. However, it is not\nuncommon, depending upon the size and complexity of a contract, for the program manager to\nallocate contract monitoring responsibilities for subcomponents of the contract to staff\n\x0c                                                                                     Attachment 3\n                                                                                     Page 13 of 21\n\n\n\npossessing subject matter expertise and other staff with experience in contract monitoring to\nassist the COR in managing the technical requirements. The Department can, in some high -risk\ncontract requirement situations, outsource project management responsibilities, provided these\nresponsibilities are not inherently governmental. In order to protect the Department\xe2\x80\x99s IT assets\nas required under NIST and other guidelines, OCIO embarked on an effort to aggressively C&A\nits system. OCIO therefore, contracted for a certified and experienced project manager to help\nensure that government staff established timelines and process consistency. While Department\nstaff had subject matter expertise, none had sufficient project management certification or\nexpertise with a project of this size and scope.\n\nMonitoring Focused on Schedules, Not Deliverables\n\nTo reiterate, the Department\xe2\x80\x99s primary goal under this contract was to meet the C&A schedule\ndescribed under the Scope section. The written audit trail of monitoring activities focused on the\nschedule because that was the most complex and varied element. However, the Department\ndisagrees that deliverables were not also a focus of contract monitoring. The COR and staff\nreviewed actual deliverables which led to changes to requirements. While meeting the schedule\nmay have been a primary focus, the quality of the review of the deliverables for acceptance was\nnot sacrificed. Had the deliverables not met the acceptance criteria, the Department would not\nhave considered the schedule met.\n\nOIG Comments\n\nThe Department agreed that its primary goal was to meet the C&A schedule, but stated that the\nquality of the review of the deliverables for acceptance was not sacrificed. However, our review\nfound that deliverables were not provided, or did not meet the acceptance criteria specified in the\ncontract. Verbal changes were made to deliverable requirements that were not documented and\nfurther reduced the effort required by the contractor to document its work and support its\nconclusions. During our review, the second COR stated that she did not inspect the deliverables,\nbut rather passed them to the project management contractor or other OCIO staff with technical\nexpertise. We found that the COR and other OCIO staff were not familiar with some of the\ndeliverable requirements, had difficulty locating deliverables, and could not initially tell us\nwhich systems received penetration testing. As such, we conclude that the quality of the review\nof the deliverables for acceptance was not sufficient to note problems and appropriately reject\ndeliverables that did not meet contract requirements.\n\n\nDepartment Response\n\nReceipts Process for Service Contracts Does Not Document Acceptance of Deliverables\n\nPayment under the contract was based on adequate progress in the form of six monthly progress\npayments and was not directly tied to the acceptance of deliverables. The Department believes\nthat sufficient monthly progress was made by the contractor and was the basis for any payment.\n\x0c                                                                                    Attachment 3\n                                                                                    Page 14 of 21\n\n\n\nIt was not intended for the receipts process to be the source of documentation for accepting\ncontract deliverables. However, should contract payment be based on deliverables, the receipts\nprocess is adequate for documenting the receipt and acceptance of deliverables. Furthermore,\nwhile the Department acknowledges that the audit trail for accepting deliverables is not present,\nthe COR judged the deliverables received as meeting the acceptance criteria and therefore,\nperformance incentive payments were properly made.\n\nOIG Comments\n\nAs previously noted, the COR stated that she did not inspect the deliverables, but provided them\nto other OCIO staff with technical expertise. As such, the COR did not judge the deliverables\nreceived as meeting the acceptance criteria as stated by the Department above. Section B of the\ncontract states, \xe2\x80\x9cThe contractor will be paid the incentives above only if all deliverables for\nsystems meet the acceptance criteria and due dates specified. . ..\xe2\x80\x9d Our review found that while\nsystems were certified by the due dates, some deliverables to support the certification decision\nwere not provided or did not meet acceptance criteria. The Department had no basis for granting\nthe incentive payments, since there was no documentation of inspection and acceptance of the\ndeliverables.\n\n\nDepartment Response\n\n       b.\t OCIO staff gave unauthorized instructions to the contractor to reduce the scope of\n           work to be performed.\n\nThe Department agrees with the OIG finding that the COR was not authorized to direct changes\nto the contract and that the contracting officer was unaware that these clarifications and\nchanges were made in the contract requirements. Additionally:\n\n   \xe2\x80\xa2\t The Department concurs that a special arrangement was reached with TYSY [sic], the\n      COD vendor, and their auditor, KPMG, to have the C&A contractor observe KPMG\n      perform the vulnerability scans and penetration testing for the COD system as part of the\n      TYSY [sic] SAS 70 audit. The scans that were conducted as part of the normal SAS 70\n      audit were deemed satisfactory by the C&A contractor for purposes of the C&A effort.\n      The C&A contractor conducted their independent analysis of the scan results and based\n      their required deliverable, the C&A analysis report, upon this process. The C&A\n      contractor acknowledged that their November 5, 2003 Weekly Status Report misstated\n      the issues surrounding the COD scanning. The COR staff and FSA staff believed that the\n      C&A contractor met the vulnerability scanning deliverable requirements. Subsequent to\n      this work, KPMG, in the normal course of their engagement with TYSY [sic], destroyed\n      the scan results. This is KPMG\xe2\x80\x99s normal practice. Consistent with the rules of\n      engagement summarized in the meeting minutes dated 9/11/2003, the KPMG work papers\n      and other output and results could not be removed from the TSYS\xe2\x80\x99 premises.\n      Consequently, evidence that the scans were executed, results produced and analyzed no\n\x0c                                                                                  Attachment 3\n                                                                                  Page 15 of 21\n\n\n\n   longer exist or cannot be made available to ED under the rules of engagement. ED is in\n   the process of obtaining security sign in/out documentation from TYSY [sic] and\n   affidavits/attestations from the C&A contractor to attest to their presence on-site at TSYS\n   when KPMG performed the SAS 70 scans.\n\n   OIG Comments\n\n   The SAS 70 audit was a regular audit performed by KPMG, and not tailored to the C&A\n   review. As stated in the Department\xe2\x80\x99s response, the COD contractors did not install the\n   vulnerability scanning tools or configure these tools according to the C&A contractor\xe2\x80\x99s\n   specifications. The C&A contractor merely observed the vulnerability scans and\n   penetration testing conducted as part of the normal SAS 70 audit.\n\n   OIG maintains its position that this reduced the level of effort by the contractor \n\n   and OCIO should have discussed this with the CO to determine if a reduction in \n\n   contract price was warranted. \n\n\n\nDepartment Response\n\n\xe2\x80\xa2\t The Department concurs that the C&A contractor did not execute the vulnerability scans\n   for DLSS. The DLSS contractors (ACS) runs routine scans of DLSS. A routine scan of\n   DLSS was performed by ACS in October 2003. Please note that the C&A contractor was\n   not present for and, therefore, did not observe the actual configuration of the software\n   and execution of this routine scan. The C&A contractor did communicate with ACS\n   about the software and types of scans that ACS performs on DLSS. Based on the\n   information provided by ACS, the C&A contractor determined that the software used and\n   scans performed by ACS were the same that they (the C&A contractors) used in the C&A\n   process. The C&A contractors requested and used ACS\'s October 2003 scan results for\n   their C&A analysis and based their required deliverable, the C&A analysis report upon\n   this process. The COR staff and FSA staff believed that the C&A contractor met the\n   vulnerability scanning deliverable requirement.\n\n   OIG Comments\n\n   The Department concurred that the C&A contractor was not present to observe the\n   vulnerability scans, but rather reviewed scans run by the DLSS contractor as part of its\n   routine processes. OIG maintains its position that this reduced the level of effort by the\n   contractor and OCIO should have discussed this with the CO to determine if a reduction\n   in contract price was warranted.\n\x0c                                                                                  Attachment 3\n\n                                                                                  Page 16 of 21\n\n\n\n\nDepartment Response\n\n\xe2\x80\xa2\t The Department does not agree with the OIG interpretation on the contract requirements\n   for penetration testing. The contract specifically required penetration testing to leverage\n   vulnerabilities discovered during the scans. Since no vulnerabilities that met the agreed\n   upon definition of \xe2\x80\x98finding\xe2\x80\x99 were discovered, there was nothing to attempt to leverage via\n   penetration testing.\n\n   OIG Comments\n\n   During our review, we were informed that it was the Department\xe2\x80\x99s concern with\n   interrupting system operations that resulted in penetration testing not being performed\n   (except for COD by KPMG as part of its SAS 70 review), not a lack of issues noted in\n   vulnerability scanning. In a letter to the OIG dated May 25, 2004, ICS stated:\n\n           ICS identified and conveyed to the Office of the Chief Information Officer\n           (OCIO) those systems where penetration testing was the preferred method.\n           On September 9, 2003, the OCIO COR discussed with ICS the concern for\n           disruption of systems as a result of penetration testing on mission-critical\n           systems. . .As a result of several meetings with the OCIO, ICS agreed that\n           penetration testing would not be performed on those systems where an\n           impact to ongoing operations was anticipated.\n\n   In an email to OIG on June 18, 2004, ICS stated that one system was considered for full\n   penetration testing. All other systems were considered too operationally valuable to risk\n   bringing them down from any penetration testing. Since the contractor\xe2\x80\x99s accepted\n   proposal included pricing for penetration testing, OCIO staff should have contacted the\n   CO to discuss the reduction in the scope of work so that an appropriate reduction in the\n   contract price could be evaluated.\n\n\nDepartment Response\n\n\xe2\x80\xa2\t While the Department is in agreement that the COR did not perform all of his/her duties\n   in conformance with Department policy, the Department is not convinced that the\n   unauthorized changes and direction that occurred is as a result of a fragmented COR\n   monitoring team. As stated previously, all CORs assigned to this contract each had a\n   number of years experience as IT contract CORs.\n\n   OIG Comments\n\n   While the Department does not believe the issues were due to a fragmented monitoring\n   team, it did not offer another reason for the problems noted. Earlier in its response, (see\n   page 3 of this attachment), the Department stated that it made every effort to ensure\n\x0c                                                                                Attachment 3\n                                                                                Page 17 of 21\n\n\n\n   sufficient resources were dedicated to manage the C&A contract. However, the second\n   COR stated that she was not able to devote a great deal of time to this contract as she was\n   also assigned other tasks. The monitoring team established did not effectively\n   communicate. We found that despite the organizational structure put into place to\n   monitor the C&A process, the COR and/or team did not:\n\n       o\t   Adequately track and inspect deliverables,\n       o\t   Ensure instructions provided to the contractor were appropriate,\n       o\t   Document and involve the CO where appropriate,\n       o\t   Ensure the CO was informed of key personnel changes, and\n       o\t   Ensure evaluations of contractor-submitted reports were documented and\n            provided to the CO.\n\n   As such, contract monitoring activities were fragmented and not appropriately \n\n   coordinated with the COR and CO. The Department concurred with the \n\n   recommendations made in this area.\n\n\n\n   Department Response\n\n\xe2\x80\xa2\t The Department concurs that verbal agreements with the contractor presented the\n   possibility of future confusion and/or disagreements; however, these agreements did not\n   result in a reduced level of effort that impacted price. The verbal agreements clarified\n   the original intent of the contract and the level of effort for which we contracted was\n   received.\n\n   OIG Comments\n\n   OIG strongly disagrees with the Department\xe2\x80\x99s response. Verbal agreements resulted in\n   elimination of deliverables (or substitution of the documents called for in the\n   Performance Work Statement with verbal reports), or reduction in the work performed by\n   the C&A contractor in the following areas:\n\n       o\t   System Specific Rules of Engagement/Testing Agreements\n       o\t   Evidence that tests were conducted\n       o\t   Vulnerability Scanning at COD and DLSS\n       o\t   Penetration testing for all 10 Tier 4 Systems\n       o\t   Testing reports\n       o\t   Minutes of System Owner and Certifier Outbriefs\n       o\t   Certification Recommendation Reports\n\n   Elimination of the requirements for written documents reduced the level of effort by the\n   contractor and a commensurate reduction in the price should have been negotiated. As\n   stated in the report, the Department issued Modification 0005 to the contract to have the\n\x0c                                                                                   Attachment 3\n                                                                                   Page 18 of 21\n\n\n\n       contractor reperform some of the C&A tasks. This modification clearly indicates the\n       tasks were not performed satisfactorily in the original contract term. This modification\n       had a total cost of $715,851. For the 10 Tier 4 systems in our review, the value of the\n       C&A tasks included in the modification was $253,692. Of this amount, $122,472 was to\n       repeat C&A analyses for seven of the Tier 4 systems that should have been completed in\n       the initial contract.\n\n\n       Department Response\n\n   \xe2\x80\xa2\t The Department does not concur that the verbal agreements regarding the extent of\n      penetration testing for the Tier 4 systems resulted in less assurance for the Department\n      that these high-risk systems were adequately protected against unauthorized access. We\n      believe most Federal civilian agencies do not utilize vulnerability scanning or\n      penetration testing in their C&A reviews. The Department opted for a C&A review that\n      exceeded that employed at the majority of Federal civilian agencies because we wanted\n      to provide a higher level of assurance. We believe that that higher level of assurance\n      was realized.\n\n       OIG Comments\n\n       OIG\xe2\x80\x99s position is unchanged. The contract called for penetration testing of the 10 Tier 4\n       systems. The contract stated that vulnerability scans and penetration testing provide an\n       assessment of a system\xe2\x80\x99s ability to withstand intentional attempts to compromise systems\n       security controls by exploiting vulnerabilities. This task was not completed as required\n       by the contract, as only 1 of 10 systems received penetration testing. The current\n       modification to the contract requires penetration testing to be performed for all 10\n       systems, which would seem to contradict the Department\xe2\x80\x99s statement that a high level of\n       assurance was previously realized.\n\n\nDepartment Response\n\n       c.\t The COR/OCIO staff did not ensure that the CO was informed of changes in key\n           personnel and that the contractor submitted to the CO formal notice and requests for\n           written approval of substitution of key personnel.\n\nThe Department concurs with this finding. However, the Department disputes that the level of\nknowledge of the contractor personnel substituted without the knowledge of the contracting\nofficer may not have equaled that of the designated key personnel upon which the contract\naward decision was at least partially based. Although the contracting officer was not properly\ninvolved with these personnel changes, the C&A project management team did closely review\nand discuss these changes prior to implementation. The resumes and qualifications were\nreviewed before personnel changes were made. The level of service and personnel skills and\n\x0c                                                                                    Attachment 3\n\n                                                                                    Page 19 of 21\n\n\n\n\nexpertise were specifically addressed and monitored. The Department did not receive any\nreduction in service or quality. For the OIG to infer this is purely speculative in nature.\n\nOIG Comments\n\nThe Department concurred with this finding and related recommendation. The Department\nstates that qualifications were reviewed before key personnel changes were made. However, the\ncontract and COR files had no documentation of review of resumes or qualifications for\nsubstituted key personnel.\n\n\nDepartment Response\n\n        d.\t The COR did not document evaluations of contractor-submitted reports or provide\n            written evaluations of the reports to the CO.\n\nThe Department concurs with this finding. The C&A contractor delivered the reports; however,\nthe Department acknowledges that the subsequent audit trail of reviews does not exist. The OIG\npurports that potential problem indicators included in the reports may not have been detected by\nthe COR and in consideration that the contracting officer was not provided evaluations to\nconfirm that reports were being received as required by the contract to take any required action\nto protect the Government\xe2\x80\x99s interest. The Department does not believe that any potential\nproblems were overlooked.\n\nOIG Comments\n\nThe Department concurred with the finding and recommendation.\n\n\nDepartment Response\n\nDepartment Response to OIG Recommendations for Finding No. 1\n\n1.1.a The Department concurs with this recommendation. A customized database has been\n      implemented to assist in tracking deliverables at the requirements level. Requirements\n      checklists have been developed that are used to validate formal acceptance of all\n      deliverables. Formal deliverable acceptance is documented in writing.\n\n1.1.b   The Department concurs with this recommendation. The contracting officer is\n        specifically cited throughout the modified PWS as the only authorized individual to make\n        any changes to the contract.\n\n1.1.c   The Department concurs with this recommendation. The contracting officer notification\n        of key personnel changes is already in effect.\n\x0c                                                                                      Attachment 3\n\n                                                                                      Page 20 of 21\n\n\n\n\n\n1.1.d\t The Department concurs with this recommendation. The COR has already begun\n       documenting contractor reports and submitting the evaluations to the contracting officer.\n\n1.1.e\t The Department concurs with this recommendation. The COR has already begun\n       building a proper contract file that reflects all information required to carry out the\n       monitoring responsibilities.\n\n1.2\t   The Department concurs with this recommendation. Several meetings have already taken\n       place beginning in July 2004, to discuss the contract monitoring plan and to clarify roles\n       and responsibilities.\n\n1.3\t   The Department concurs with this recommendation. Processes are already in place that\n       ensures that any substitution in key personnel follow appropriate procedures.\n\n1.4\t   The Department concurs with this recommendation. The contracting officer will ensure\n       that any changes in COR responsibilities receive the proper appointment memoranda.\n\n1.5\t   The Department does not concur with the underlying findings for this recommendation\n       and therefore does not concur with the recommendation. The Department does not\n       concur that incentive payments were made to the contractor improperly, that deliverables\n       were unacceptable, or that payment was made for more than it should have for the work\n       completed. The Contracting Officer had already determined that an opinion is not\n       required from Office of General Counsel.\n\nOIG Comments\n\nThe Department concurred with four of the five recommendations for this finding. The\nDepartment did not concur with OIG\xe2\x80\x99s Recommendation 1.5 to obtain an Office of General\nCounsel opinion regarding possible remedies to recover funds from the contractor for improper\nincentive payments, unacceptable deliverables, and reductions to the scope of work made\nwithout the authorization of the CO.\n\nAs discussed in Finding 1, contract terms stated that incentives would be paid only if all\ndeliverables meet the acceptance criteria and due dates specified. Since not all deliverables were\nprovided, and some deliverables were not complete and therefore did not meet acceptance\ncritieria, the contractor should not have been paid any of the incentive amounts. OIG continues\nto recommend that OGC be consulted for an opinion on this matter.\n\x0c                                                                                    Attachment 3\n\n                                                                                    Page 21 of 21\n\n\n\n\nDepartment Response\n\n        Finding No. 2 - The Performance Work Statement Did Not Require\n                        Sufficient Documentation to Support C&A\n                        Recommendations and Decisions\n\nThe Department does not agree that the original PWS did not require sufficient documentation to\nsupport certification decisions. The documentation requirements in the original PWS were\nconsistent with those in other Federal agencies and based on Federal guidelines to support C&A\nrecommendations and decisions. NIST 800-34 places the emphasis on the System Security Plan\nand the Security Test and Evaluation (ST&E) plan. The original PWS placed a similar emphasis\non these two areas as the basis for the subsequent C&A recommendations and decisions.\nThorough and consistent ST&E plans were executed for each of the 10 systems reviewed in this\naudit.\n\n        Department Response to OIG Recommendations for Finding No. 2\n\n2.1.\t   The Department concurs with this recommendation and this action is completed.\n\n2.2.\t   The Department concurs with this recommendation. This action has been implemented\n        with the current contract modification that will be a template for future C&A contracts.\n\n\nThank you again for this opportunity to respond. Should you have questions, please contact\nGlenn Perry, Director, Contracts and Acquisitions Management at (202) 245-6200.\n\nOIG Comments\n\nThe Department stated that it disagreed with this finding, but concurred with both of the related\nrecommendations. The Department stated that actions to address Recommendation 2.2 -- to\ninclude requirements for documentation supporting scans, tests, and analyses conducted, and\ndecisions made on the risks and mitigating factors considered, in support of the contractor\xe2\x80\x99s\nC&A recommendations -- were implemented with the current modification to the C&A contract.\n\nIn its response, the Department states that NIST 800-34 places the emphasis on the System\nSecurity Plan and the ST&E plan. While review of the ST&E deliverables was not a part of this\naudit, analysis of these deliverables was conducted as part of the OIG\xe2\x80\x99s Federal Information\nSecurity Management Act (FISMA) audit. OIG disagrees with the Department\xe2\x80\x99s statement that\n\xe2\x80\x9cThorough and consistent ST&E plans were executed for each of the 10 systems reviewed in this\naudit.\xe2\x80\x9d In its FISMA audit, OIG determined that ST&E procedures were not sufficient to\nadequately identify residual system security risks and to ensure that significant security\nweaknesses identified in prior OIG security evaluations were fully corrected.\n\x0c                                                                                        Attachment 4\n\n                                                                                         Page 1 of 10\n\n\n\n\n\n                      Department Response to Draft Report\n\n                              October 18, 2004\n\n\n\n\nTO:            Helen Lew\n               Assistant Inspector General for Audit Services\n               Office of the Inspector General\n\nFROM:          Jack Martin\n               Chief Financial Officer\n               Office of the Chief Financial Officer\n\n               William Leidinger\n               Assistant Secretary for Management and the Chief Information Officer\n               Office of Management\n\nSUBJECT:       Draft Audit Report Management of the Department\xe2\x80\x99s Certification and\n                Accreditation Contract, Control Number ED-OIG/S19-E0015\n\nThis memorandum responds to the Office of the Inspector General (OIG) subject Draft Audit\nReport, dated August 19, 2004. The purpose of the audit was to determine the effectiveness of\nthe Department\xe2\x80\x99s management of the Certification and Accreditation (C&A) contract. The audit\nwas limited to the review of deliverables related to the documentation review and vulnerability\nscanning/penetration testing requirement of the contract to the initial 10 Tier 4 systems subjected\nto the C&A process.\n\nIn general, the OIG found that the Department staff did not effectively manage the C&A contract\nand that improvements are needed in the Department\xe2\x80\x99s contract management process. The OIG\nreported that Department staff did not adequately track and inspect deliverables, gave\nunauthorized instructions to the contractor to reduce the scope of work to be performed, did not\ninform the contracting officer of changes in key personnel, and did not document evaluations of\ncontractor-submitted reports. The OIG also reported that the performance work statement for the\nC&A contract did not require sufficient documentation to support C&A recommendations and\ndecisions and that the initial services received from the C&A contractor did not provide\nmanagers with complete, supportable information upon which to base their certification\ndecisions.\n\nBackground\n\nThe Department had never before in its history completed the C&A of any IT system prior to the\npassage of the Government Information Security Reform Act in 2000. The Department began\ndeveloping its C&A program in 2001 with its first Plan of Action and Milestones (POA&M)\n\x0c                                                                                           Attachment 4\n                                                                                            Page 2 of 10\n\n\n\nsubmission to the Office of Management and Budget (OMB). Department production systems\nbegan preparing for National Institute of Standards and Technology (NIST) compliant Risk\nAssessments that were completed the summer of 2002. The resulting risk assessment findings\nwere incorporated into the Department\xe2\x80\x99s fiscal year 2002 POA&M. Systems across the\nDepartment applied the risk mitigation strategies described in NIST SP 800-30 while the\nDepartment further developed the C&A program.\n\nThe Department next launched an intensive effort to ensure that all Major Applications and\nGeneral Support Systems had a NIST compliant System Security Plan, Configuration\nManagement Plan and Contingency Plan (including a Disaster Recovery Plan for tier 3 and 4\nsystems). The Department also focused on developing standardized Security Test and\nEvaluation (ST&E) plans based on NIST and Department policies, standards and guidelines for\nconsistent testing of all Tier 3 and 4 systems. The resulting ST&E plans were intended to verify\nthat appropriate security controls existed and were functioning properly. The ST&E plans were\nnever intended to identify system vulnerabilities, but rather vulnerabilities or weaknesses in\nsecurity controls. Automated vulnerability scanning does not test the effectiveness of security\ncontrols, but instead identifies "potential" vulnerabilities in system configurations or software\nwithout taking into account the mitigating security controls in place. This approach for ST&E\nplans is supported by NIST Special Publication (SP) 800-37 Subtask 4.3, Security Assessment\nthat states:\n\n       SECURITY ASSESSMENT\n       SUBTASK 4.3: Assess the management, operational, and technical security controls in\n       the information system using methods and procedures selected or developed.\n       RESPONSIBILITY: Certification Agent.\n       GUIDANCE: Security assessment determines the extent to which the security controls\n       are implemented correctly, operating as intended, and producing the desired outcome\n       with respect to meeting the secur ity requirements for the system. The results of the\n       security assessment, including recommendations for correcting any deficiencies in the\n       security controls, are documented in the security assessment report.\n\nEach security control element that was to be tested had a test title, impact statement if the system\ncontrol failed that particular test, test script with step-by-step instructions for executing the test,\nand expected results if the system control passed the test. This approach conformed to security\nindustry standards for an ST&E plan.\n\nThe Department further consulted with several consulting firms experienced with supporting\nC&A programs for both civilian and Department of Defense agencies. The Department visited\nseveral civilian agencies with established C&A programs to learn from their successes and past\nexperiences. The Department then wrote a Performance Work Statement (PWS) in order to\ncontract for an independent, experienced IT security review team.\n\nThe resulting C&A PWS was shared with the OIG IT security auditors. The Department asked\nfor assistance in ensuring that the C&A review described in the PWS would be adequate and\nmeet Federal standards. The Department asked the OIG to assist in developing IT security\nstandards that Agency systems should meet and against which these systems would be reviewed\n\x0c                                                                                       Attachment 4\n                                                                                        Page 3 of 10\n\n\n\nin the C&A program. In both instances, the OIG indicated that both of these activities were ED\nmanagement responsibilities. The OIG did, however, provide checklists consisting of over 1000\nquestions used in their annual FISMA reviews. The checklists, however, did not include any\nassociated risk levels with these questions or indicate the impact of mitigating controls. The OIG\nalso provided a list of the automated vulnerability scanning tools that they use in their annual\nFISMA reviews. The assistance provided by the OIG was very much welcomed and appreciated.\n\nRealizing the importance to the Department and high visibility of the C&A effort, the\nDepartment made every effort to ensure that sufficient resources were dedicated to manage the\nC&A contract. The Office of the Chief Information Officer (OCIO) did not have all of the\nrequired contracting, C&A subject matter expertise and project management skills in a single\nstaff member. The Chief Information Officer (CIO), therefore, assigned the most experienced\nContracting Officer\xe2\x80\x99s Representative (COR) to this project, as well as the entire Information\nAssurance staff to serve as subject matter experts in support of the COR. No one in OCIO, at the\ntime, was both certified as a project manager and had experience with projects of similar size and\nscope. The CIO, therefore, contracted for a certified project manager who did meet these\nqualifications. These individuals formed the team designated to oversee the execution of the\nC&A contract. This team established several working groups that included key system owner\nrepresentatives. The CIO met weekly with the management team, key system owner\nrepresentatives, and the C&A contractor to ensure the success of the C&A effort.\n\nThe C&A contractor utilized the same scanning tools used by OIG for the FY03 FISMA audit\nduring the CRG\xe2\x80\x99s C&A reviews of Mission Critical systems. The contractor did not, however,\nevaluate the resulting scan tool \xe2\x80\x9chits\xe2\x80\x9d to have the same importance or relevance, as did the OIG.\nThe contractor used an approach as described in NIST SP 800-42 that states on pages 3-4:\n\n       However, vulnerability scanners have some significant weaknesses. Generally, they only\n       identify surface vulnerabilities and are unable to address the overall risk level of a\n       scanned network. Although the scan process itself is highly automated, vulnerability\n       scanners can have a high false positive error rate (reporting vulnerabilities when none\n       exist). This means an individual with expertise in networking and operating system\n       security and in administration must interpret the results.\n\nThe Department contracted for the IT security expertise provided by the C&A contractor. The\nDepartment asked the C&A contractor to int erpret the results of the scans. The C&A contractor\ndid not believe that the scan \xe2\x80\x9chits\xe2\x80\x9d identified anything significant regarding the existence of\nproper functioning of the related system security controls.\n\nThe C&A PWS asked the contractor to provide a report of any findings resulting from the\nvulnerability scanning and penetration testing. A definition of finding was not included in the\nPWS. The C&A contractor asked the Government to provide a definition. The OCIO\nInformation Assurance staff provided a definition based on the only other source of \xe2\x80\x9cfindings\xe2\x80\x9d\nwith which they were familiar, namely OIG audits. A finding in an OIG audit is something that\nneeds to be brought to the attention of the senior management official and needs to be\nsubsequently corrected. The C&A contractor did not, in their professional opinion, identify\nanything from the vulnerability scanning and penetration testing that met this definition.\n\x0c                                                                                         Attachment 4\n\n                                                                                          Page 4 of 10\n\n\n\n\n\nThe C&A PWS also asked the contractor to take minutes at all out briefings and to provide a\nfinal C&A review report similar to the report format used for the previous system risk\nassessments. The intent was to ensure that the review methodology was clearly explained and\nthat resulting findings, including associated risk level and recommended corrective action, were\nprovided. When the C&A contractor provided advanced copies of their C&A briefing report, the\nC&A project management team believed that these materials fully met the intent of the reporting\nformat, as well as the intent of the requirement regarding the taking of minutes. The COR\nverbally changed these requirements and the work continued with these modifications. OCIO\nInformation Assurance staff believed that this experienced COR was following all of the\nDepartment\xe2\x80\x99s contract procedures.\n\nThe designated C&A contract COR left the Department in the fall of 2003 following the\ncompletion of the first round of C&A. A second OCIO COR was identified. All of the\ndeliverables for the second and third rounds of C&A were of the same quality and type as had\nbeen accepted under the first round. Everyone believed that proper procedures had been\nfollowed. Everyone was satisfied with the content and quality of deliverables and believed that\nthe Department was properly moving forward to C&A all its systems and meet OMB\xe2\x80\x99s timeline.\n\nComments on the Draft Audit\n\nThe Department acknowledges that it could have improved contract monitoring efforts by\nreminding the COR of his/her basic contract monitoring responsibilities and limitations,\nspecifically that\n\n   \xef\xbf\xbd   CORs, when using other Department staff and contractor project management support to\n       assist with contract monitoring, are ultimately accountable to the contracting officer for\n       the responsibilities in contract monitoring, and\n   \xef\xbf\xbd   CORs are not authorized to direct changes to the contract and that CORs must\n       communicate with their contracting officers to form a cooperative working relationship\n       so that when changes are needed to contract requirements, the contracting officer can\n       authorize such changes provided they are in the Government\xe2\x80\x99s best interest.\n\nHowever, while acknowledging that contract related processes early in the C&A contract period\ncould have been performed to more closely adhere to the Department\xe2\x80\x99s contract procedures and\npolicies, the Department does not concur in whole, with the findings of the draft audit. The\nDepartment believes that the C&A contractor\xe2\x80\x99s performance met the objectives of the contract in\nsupport of the C&A program. A response to specific points in the draft audit is provided in the\nfollowing.\n\n       Finding No. 1 \xe2\x80\x93 Department Staff Did Not Effectively Manage the C&A\n                       Contract.\nThe Department agrees that as defined by ACS OCFO:2-108, Contract Monitoring for Program\nOfficials, it is the policy of the Department to monitor every contract to the extent appropriate to\nprovide assurance that the contractor performs the work called for in the contract, and to develop\n\x0c                                                                                             Attachment 4\n\n                                                                                              Page 5 of 10\n\n\n\n\na clear record of accountability for performance. Elements of importance to the Department\nwhen monitoring for contractor performance include: contractor performance outcomes and\nspecifications, timeliness, quality, and cost control. The PWS for the C&A contract stated that\nthe scope of the PWS covers the responsibilities and activities of Phase 3, Validation of the C&A\nprocess and that the C&A contractor shall perform technical certification activities on behalf of\nthe Certifier, and that the Department\xe2\x80\x99s primary goal is to meet the C&A schedule described\nunder the Scope section of this document. 8\n\n           a.\t The COR, other OCIO staff, and the project management contractor, did not\n               adequately track and inspect deliverables to ensure that contract requirements were\n               met.\n\nThe Department specified process outputs, deliverables, acceptance criteria, and dates due. The\nOIG reports that deliverables were not provided.\n\nThe Department disagrees with the following.\n\nRules of Engagement, Evidence that Vulnerability Scans/Penetration Testing was Conducted,\nMinutes for System Owner and Certifier Out Briefs. The COR accepted the single rules of\nengagement deliverable from the contractor as meeting this requirement for all of the systems.\nSystem managers required testing agreements that detailed when and how the tests would be\nconducted. These agreements were negotiated at meetings attended by C&A contract\nmanagement team members. It is not possible to complete the scanning logistics at the VDC,\nRockville, EDNet or COD without establishing these agreements. This is standard practice and\ncommon knowledge. The audit occurred four to six months after the end of the related contract\nperiod. Although OCIO has not been able to locate any copies of these agreements, it would not\nhave been possible for ICS to execute the scans and ST&E tests without such agreements. The\nCOR accepted the communications at the weekly working group meetings that confirmed non-\ndamaging execution of the vulnerability scans and penetration testing as the related deliverable.\nThe COR accepted the Microsoft PowerPoint report as meeting the deliverable requirements for\nthe minutes.\n\nMatrices of Observations, Vulnerability Scans/Penetration Testing Reports, System Owner and\nCertifier Out Briefs.. The matrices of observation were not a required deliverable. They were\nwork papers that supported the required deliverable of analysis of the security documentation.\nThe required analysis was provided in the out brief presentation. The contractor voluntarily\nprovided the Matrices of Observations for most systems on the CDs that included contract\nrequired deliverables at the time of Certifier Out Briefings. The Matrices of Observations were\nnot, however, deliverables required under the contract. After the initiation of the C&A contract\naudit and OIG began to ask questions about the Matrices of Observations, OCIO included the\nmatrices in the analysis of everything ICS provided to the Department. This analysis was\ntracked in an Excel Workbook. The Excel workbook was never used during the related contract\nperiod to track required deliverables. The COR required vulnerability scanning and penetration\ntest reports for items that the contractor believed should be brought to the attention of the\nCertifier. Since there were no such items, there were no related deliverables. While the\n8\n    PWS, Section 3 \xe2\x80\x93 Scope, and Section 4- Task 4.1, \xe2\x80\x9cCertification Review Group Support\xe2\x80\x9d.\n\x0c                                                                                          Attachment 4\n                                                                                           Page 6 of 10\n\n\n\nDepartment agrees that the briefing reports were not totally consistent, the out briefs did meet the\ndeliverable requirements; although the Department acknowledges that some of the items were\nverbally reported by the CRG. The Department takes further exception to the OIG assertion that\nthe deliverables did not meet the acceptance criteria. The COR judged the deliverables\nreferenced in this sub- finding as meeting the acceptance criteria.\n\nAssurance that 2002 Risk Assessment Findings Have Been Mitigated. The OIG further reports\nthat the contractor did not report on whether issues noted in the 2002 risk assessments had been\nmitigated as required by the contract. The Department submits that no system entered the C&A\nprocess with open risk assessment findings. All system managers stated in writing, that all risk\nassessment findings had been corrected. The C&A contractor verbally confirmed that all risk\nassessment findings had been addressed. The COR accepted this verbal confirmation, in concert\nwith the documentation provided by system managers, as meeting the deliverable requirement.\n\nInconsistency Between Matrices of Observations and System Owner and Certifier Out Briefs.\nLastly, the OIG reports that issues reported in the matrices of observations were not consistent\nwith issues reported in the system owner and certifier out briefs. As stated previously, the\nmatrices of observations were not a deliverable under this contract. These documents reflect the\ninitial review of the security documentation by the C&A contractor. It was an established and\ngovernment approved process to allow the system manager to correct any findings during the\nreview and thereby remove such findings from the resulting report. The C&A review was never\nintended to be an audit, but rather a report of the security posture of the system in question at the\ntime of the Certifier briefing. All issues listed in the matrices of observations that were not in\nout briefs were validated as corrected prior to the out briefs.\n\n       a(1) Deliverables were not adequately tracked and inspected for 3 reasons.\n\nOCIO Fragmented Contract Management Responsibilities\n\nThe Department agrees that per Department policy, the COR is responsible to the contracting\nofficer for monitoring the programmatic or technical aspects of the contract. However, it is not\nuncommon, depending upon the size and complexity of a contract, for the program manager to\nallocate contract monitoring responsibilities for subcomponents of the contract to staff\npossessing subject matter expertise and other staff with experience in contract monitoring to\nassist the COR in managing the technical requirements. The Department can, in some high -risk\ncontract requirement situations, outsource project management responsibilities, provided these\nresponsibilities are not inherently governmental. In order to protect the Department\xe2\x80\x99s IT assets\nas required under NIST and other guidelines, OCIO embarked on an effort to aggressively C&A\nits system. OCIO therefore, contracted for a certified and experienced project manager to help\nensure tha t government staff established timelines and process consistency. While Department\nstaff had subject matter expertise, none had sufficient project management certification or\nexpertise with a project of this size and scope.\n\x0c                                                                                        Attachment 4\n\n                                                                                         Page 7 of 10\n\n\n\n\nMonitoring Focused on Schedules, Not Deliverables\n\nTo reiterate, the Department\xe2\x80\x99s primary goal under this contract was to meet the C&A schedule\ndescribed under the Scope section. The written audit trail of monitoring activities focused on the\nschedule because that was the most complex and varied element. However, the Department\ndisagrees that deliverables were not also a focus of contract monitoring. The COR and staff\nreviewed actual deliverables which led to changes to requirements. While meeting the schedule\nmay have been a primary focus, the quality of the review of the deliverables for acceptance was\nnot sacrificed. Had the deliverables not met the acceptance criteria, the Department would not\nhave considered the schedule met.\n\n\nReceipts Process for Service Contracts Does Not Document Acceptance of Deliverables\n\nPayment under the contract was based on adequate progress in the form of six monthly progress\npayments and was not directly tied to the acceptance of deliverables. The Department believes\nthat sufficient monthly progress was made by the contractor and was the basis for any payment.\nIt was not intended for the receipts process to be the source of documentation for accepting\ncontract deliverables. However, should contract payment be based on deliverables, the receipts\nprocess is adequate for documenting the receipt and acceptance of deliverables. Furthermore,\nwhile the Department acknowledges that the audit trail for accepting deliverables is not present,\nthe COR judged the deliverables received as meeting the acceptance criteria and therefore,\nperformance incentive payments were properly made.\n\n       b.\t OCIO staff gave unauthorized instructions to the contractor to reduce the scope of\n           work to be performed.\n\nThe Department agrees with the OIG finding that the COR was not authorized to direct changes\nto the contract and that the contracting officer was unaware that these clarifications and changes\nwere made in the contract requirements. Additionally:\n\n\xe2\x80\xa2\t The Department concurs that a special arrangement was reached with TYSY, the COD\n   vendor, and their auditor, KPMG, to have the C&A contractor observe KPMG perform the\n   vulnerability scans and penetration testing for the COD system as part of the TYSY SAS 70\n   audit. The scans that were conducted as part of the normal SAS 70 audit were deemed\n   satisfactory by the C&A contractor for purposes of the C&A effort. The C&A contractor\n   conducted their independent analysis of the scan results and based their required deliverable,\n   the C&A analysis report, upon this process. The C&A contractor acknowledged that their\n   November 5, 2003 Weekly Status Report misstated the issues surrounding the COD\n   scanning. The COR staff and FSA staff believed that the C&A contractor met the\n   vulnerability scanning deliverable requirements. Subsequent to this work, KPMG, in the\n   normal course of their engagement with TYSY, destroyed the scan results. This is KPMG\xe2\x80\x99s\n   normal practice. Consistent with the rules of engagement summarized in the meeting\n   minutes dated 9/11/2003, the KPMG work papers and other output and results could not be\n   removed from the TSYS\xe2\x80\x99 premises. Consequently, evidence that the scans were executed,\n   results produced and analyzed no longer exist or cannot be made available to ED under the\n\x0c                                                                                      Attachment 4\n                                                                                       Page 8 of 10\n\n\n\n   rules of engagement. ED is in the process of obtaining security sign in/out documentation\n   from TYSY and affidavits/attestations from the C&A contractor to attest to their presence\n   on-site at TSYS when KPMG performed the SAS 70 scans.\n\n\xe2\x80\xa2\t The Department concurs that the C&A contractor did not execute the vulnerability scans for\n   DLSS. The DLSS contractors (ACS) runs routine scans of DLSS. A routine scan of DLSS\n   was performed by ACS in October 2003. Please note that the C&A contractor was not\n   present for and, therefore, did not observe the actual configuration of the software and\n   execution of this routine scan. The C&A contractor did communicate with ACS about the\n   software and types of scans that ACS performs on DLSS. Based on the information provided\n   by ACS, the C&A contractor determined that the software used and scans performed by ACS\n   were the same that they (the C&A contractors) used in the C&A process. The C&A\n   contractors requested and used ACS\'s October 2003 scan results for their C&A analysis and\n   based their required deliverable, the C&A analysis report upon this process. The COR staff\n   and FSA staff believed that the C&A contractor met the vulnerability scanning deliverable\n   requirement.\n\n\xe2\x80\xa2\t The Department does not agree with the OIG interpretation on the contract requirements for\n   penetration testing. The contract specifically required penetration testing to leverage\n   vulnerabilities discovered during the scans. Since no vulnerabilities that met the agreed upon\n   definition of \xe2\x80\x98finding\xe2\x80\x99 were discovered, there was nothing to attempt to leverage via\n   penetration testing.\n\n\xe2\x80\xa2\t While the Department is in agreement that the COR did not perform all of his/her duties in\n   conformance with Department policy, the Department is not convinced that the unauthorized\n   changes and direction that occurred is as a result of a fragmented COR monitoring team. As\n   stated previously, all CORs assigned to this contract each had a number of years experience\n   as IT contract CORs.\n\n\xe2\x80\xa2\t The Department concurs that verbal agreements with the contractor presented the possibility\n   of future confusion and/or disagreements; however, these agreements did not result in a\n   reduced level of effort that impacted price. The verbal agreements clarified the original\n   intent of the contract and the level of effort for which we contracted was received.\n\n\xe2\x80\xa2\t The Department does not concur that the verbal agreements regarding the extent of\n   penetration testing for the Tier 4 systems resulted in less assurance for the Department that\n   these high-risk systems were adequately protected against unauthorized access. We believe\n   most Federal civilian agencies do not utilize vulnerability scanning or penetration testing in\n   their C&A reviews. The Department opted for a C&A review that exceeded that employed at\n   the majority of Federal civilian agencies because we wanted to provide a higher level of\n   assurance. We believe that that higher level of assurance was realized.\n\x0c                                                                                           Attachment 4\n\n                                                                                            Page 9 of 10\n\n\n\n\n        c.\t The COR/OCIO staff did not ensure that the CO was informed of changes in key\n            personnel and that the contractor submitted to the CO formal notice and requests for\n            written approval of substitution of key personnel.\n\nThe Department concurs with this finding. However, the Department disputes that the level of\nknowledge of the contractor personnel substituted without the knowledge of the contracting\nofficer may not have equaled that of the designated key personnel upon which the contract award\ndecision was at least partially based. Although the contracting officer was not properly involved\nwith these personnel changes, the C&A project management team did closely review and discuss\nthese changes prior to implementation. The resumes and qualifications were reviewed before\npersonnel changes were made. The level of service and personnel skills and expertise were\nspecifically addressed and monitored. The Department did not receive any reduction in service\nor quality. For the OIG to infer this is purely speculative in nature.\n\n        d.\t The COR did not document evaluations of contractor-submitted reports or provide\n            written evaluations of the reports to the CO.\n\nThe Department concurs with this finding. The C&A contractor delivered the reports; however,\nthe Department acknowledges that the subsequent audit trail of reviews does not exist. The OIG\npurports that potential problem indicators included in the reports may not have been detected by\nthe COR and in consideration that the contracting officer was not provided evaluations to\nconfirm that reports were being received as required by the contract to take any required action\nto protect the Government\xe2\x80\x99s interest. The Department does not believe that any potential\nproblems were overlooked.\n\nDepartment Response to OIG Recommendations for Finding No. 1\n\n1.1.a The Department concurs with this recommendation. A customized database has been\n      implemented to assist in tracking deliverables at the requirements level. Requirements\n      checklists have been developed that are used to validate formal acceptance of all\n      deliverables. Formal deliverable acceptance is documented in writing.\n\n1.1.b   The Department concurs with this recommendation. The contracting officer is\n        specifically cited throughout the modified PWS as the only authorized individual to make\n        any changes to the contract.\n\n1.1.c   The Department concurs with this recommendation. The contracting officer notification\n        of key personnel changes is already in effect.\n\n1.1.d   The Department concurs with this recommendation. The COR has already begun\n        documenting contractor reports and submitting the evaluations to the contracting officer.\n\n1.1.e   The Department concurs with this recommendation. The COR has already begun\n        building a proper contract file that reflects all information required to carry out the\n        monitoring responsibilities.\n\x0c                                                                                       Attachment 4\n                                                                                       Page 10 of 10\n\n\n\n1.2\t    The Department concurs with this recommendation. Several meetings have already taken\n        place beginning in July 2004, to discuss the contract monitoring plan and to clarify roles\n        and responsibilities.\n\n1.3\t    The Department concurs with this recommendation. Processes are already in place that\n        ensures that any substitution in key personnel follow appropriate procedures.\n\n1.4\t    The Department concurs with this recommendation. The contracting officer will ensure\n        that any changes in COR responsibilities receive the proper appointment memoranda.\n\n1.5\t    The Department does not concur with the underlying findings for this recommendation\n        and therefore does not concur with the recommendation. The Department does not\n        concur that incentive payments were made to the contractor improperly, that deliverables\n        were unacceptable, or that payment was made for more than it should have for the work\n        completed. The Contracting Officer had already determined that an opinion is not\n        required from Office of General Counsel.\n\n        Finding No. 2 - The Performance Work Statement Did Not Require\n                        Sufficient Documentation to Support C&A\n                        Recommendations and Decisions\n\nThe Department does not agree that the original PWS did not require sufficient documentation to\nsupport certification decisions. The documentation requirements in the original PWS were\nconsistent with those in other Federal agencies and based on Federal guidelines to support C&A\nrecommendations and decisions. NIST 800-34 places the emphasis on the System Security Plan\nand the Security Test and Evaluation (ST&E) plan. The original PWS placed a similar emphasis\non these two areas as the basis for the subsequent C&A recommendations and decisions.\nThorough and consistent ST&E plans were executed for each of the 10 systems reviewed in this\naudit.\n\n        Department Response to OIG Recommendations for Finding No. 2\n\n2.1.\t   The Department concurs with this recommendation and this action is completed.\n\n2.2.\t   The Department concurs with this recommendation. This action has been implemented\n        with the current contract modification that will be a template for future C&A contracts.\n\n\nThank you again for this opportunity to respond. Should you have questions, please contact\nGlenn Perry, Director, Contracts and Acquisitions Management at (202) 245-6200.\n\x0c'